OpenBSD Archive openbsd user - security-announce

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Damien Miller-4
Reply | Threaded
Open this post in threaded view
|

OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

Damien Miller-4

A number of exploitable flaws in OpenSSL's ASN.1 handling code have been
found. These errors permit denial-of-service (crashing) of applications
that use OpenSSL's libcrypto to parse or print ASN.1 objects.

The vulnerabilities have been designated CVE-2009-0590 and CVE-2009-0789
and are described in more detail in OpenSSL's security advisory:

    http://www.openssl.org/news/secadv_20090325.txt

Please note that the other, more serious issue described in the OpenSSL
advisory "Incorrect Error Checking During CMS verification" does not
affect OpenBSD as we have not enabled the offending code.

Source code patches are available for OpenBSD 4.3, 4.4 and 4.5. OpenBSD
-current has been updated to OpenSSL 0.9.8k, which is not vulnerable.

Patch for OpenBSD 4.5:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Patch for OpenBSD 4.4:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/012_openssl.patch

Patch for OpenBSD 4.3:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/012_openssl.patch

These patches are also available in the OPENBSD_4_5, OPENBSD_4_4 and
OPENBSD_4_3 patch branches.


Damien Miller
Reply | Threaded
Open this post in threaded view
|

Correction: OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 invalid memory access

Damien Miller
On Wed, 8 Apr 2009, Damien Miller wrote:

> Patch for OpenBSD 4.5:
>     ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/002_openssl.patch

Correction, this should be:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.5/common/001_openssl.patch

Free forum by Nabble Edit this page