FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- Multiple problems in crypto(3)

Affected packages
openssl < 0.9.7l_0
0.9.8 < openssl < 0.9.8d_0
Affected systems
6.1 < FreeBSD < 6.1_9
6.0 < FreeBSD < 6.0_14
5.5 < FreeBSD < 5.5_7
5.4 < FreeBSD < 5.4_21
5.3 < FreeBSD < 5.3_36
4.11 < FreeBSD < 4.11_24

Details

VuXML ID 0f37d765-c5d4-11db-9f82-000e0c2e438a
Discovery 2006-09-28
Entry 2007-02-26

Problem Description:

Several problems have been found in OpenSSL:

In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used.

Impact:

Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.

An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.

A malicious SSL server can cause clients connecting using SSL version 2 to crash.

Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack.

Workaround:

No workaround is available, but not all of the vulnerabilities mentioned affect all applications.

References

CVE Name CVE-2006-2937
CVE Name CVE-2006-2938
CVE Name CVE-2006-2940
CVE Name CVE-2006-3738
CVE Name CVE-2006-4343
FreeBSD Advisory SA-06:23.openssl