OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

Damien Miller-4

Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.

This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:


Source code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j

Patch for OpenBSD 4.3:

Patch for OpenBSD 4.4:

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.