OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

Damien Miller-4

Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.

This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:

  http://www.openssl.org/news/secadv_20090107.txt

Source code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j

Patch for OpenBSD 4.3:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch

Patch for OpenBSD 4.4:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.