Search...

Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)

2005-07-13T00:00:00

ID SLACKWARE_SSA_2004-077-01.NASL
Type nessus
Reporter Tenable
Modified 2018-08-09T00:00:00

Description

Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Slackware Security Advisory 2004-077-01. The text 
# itself is copyright (C) Slackware Linux, Inc.
#

include("compat.inc");

if (description)
{
  script_id(18785);
  script_version("1.13");
  script_cvs_date("Date: 2018/08/09 17:06:37");

  script_cve_id("CVE-2004-0079", "CVE-2004-0112");
  script_xref(name:"SSA", value:"2004-077-01");

  script_name(english:"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)");
  script_summary(english:"Checks for updated packages in /var/log/packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Slackware host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,
and -current. These fix two potential denial-of-service issues in
earlier versions of OpenSSL. We recommend sites that use OpenSSL
upgrade to the fixed packages right away."
  );
  # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?1077dcbe"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected openssl and / or openssl-solibs packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:openssl-solibs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:8.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:9.1");

  script_set_attribute(attribute:"patch_publication_date", value:"2004/03/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
  script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_family(english:"Slackware Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("slackware.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);


flag = 0;
if (slackware_check(osver:"8.1", pkgname:"openssl", pkgver:"0.9.6m", pkgarch:"i386", pkgnum:"1")) flag++;
if (slackware_check(osver:"8.1", pkgname:"openssl-solibs", pkgver:"0.9.6m", pkgarch:"i386", pkgnum:"1")) flag++;

if (slackware_check(osver:"9.0", pkgname:"openssl", pkgver:"0.9.7d", pkgarch:"i386", pkgnum:"1")) flag++;
if (slackware_check(osver:"9.0", pkgname:"openssl-solibs", pkgver:"0.9.7d", pkgarch:"i386", pkgnum:"1")) flag++;

if (slackware_check(osver:"9.1", pkgname:"openssl", pkgver:"0.9.7d", pkgarch:"i486", pkgnum:"1")) flag++;
if (slackware_check(osver:"9.1", pkgname:"openssl-solibs", pkgver:"0.9.7d", pkgarch:"i486", pkgnum:"1")) flag++;

if (slackware_check(osver:"current", pkgname:"openssl", pkgver:"0.9.7d", pkgarch:"i486", pkgnum:"1")) flag++;
if (slackware_check(osver:"current", pkgname:"openssl-solibs", pkgver:"0.9.7d", pkgarch:"i486", pkgnum:"1")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:slackware_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "SLACKWARE_SSA_2004-077-01.NASL", "bulletinFamily": "scanner", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "published": "2005-07-13T00:00:00", "modified": "2018-08-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "reporter": "Tenable", "references": ["http://www.nessus.org/u?1077dcbe"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "type": "nessus", "lastseen": "2019-02-21T01:08:38", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "edition": 1, "enchantments": {}, "hash": "29896a8c33b3b612915de37146a69aeff940b65607e85d009e14192afbf6666b", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a36210b4fd79daa48b126fbe6c9467fa", "key": "description"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}, {"hash": "fc68aa43d631a094d45eb5e59cb4cbcc", "key": "sourceData"}, {"hash": "97ea87d6e8ef74740a53e944a5d5c86d", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2016-09-26T17:23:10", "modified": "2013-06-01T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.2", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2013/06/01 00:36:12 $\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_osvdb_id(4317);\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:10"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "edition": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "e11cf00ede7a9097195c7f613a15daadd2b4499ecc66cda26783fc7cc99ce483", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a36210b4fd79daa48b126fbe6c9467fa", "key": "description"}, {"hash": "fcdd6cda47ea34104e7d6474da64f4c6", "key": "sourceData"}, {"hash": "aae38b58d764d257281e310edb15f1af", "key": "cpe"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "a03d359fb0b4e439f50091cee1f89df6", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2018-08-10T16:55:09", "modified": "2018-08-09T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.3", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/09 17:06:37\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-10T16:55:09"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:06:11", "references": [{"idList": ["VU:465542", "VU:288574", "VU:484726"], "type": "cert"}, {"idList": ["CVE-2004-0112", "CVE-2004-0079"], "type": "cve"}, {"idList": ["RHSA-2005:829", "RHSA-2005:830", "RHSA-2004:120"], "type": "redhat"}, {"idList": ["SSA-2004-077-01"], "type": "slackware"}, {"idList": ["DEBIAN:DSA-465-1:89280"], "type": "debian"}, {"idList": ["OSVDB:4317", "OSVDB:4316"], "type": "osvdb"}, {"idList": ["ELSA-2015-3022"], "type": "oraclelinux"}, {"idList": ["HPUX_PHSS_30641.NASL", "GENTOO_GLSA-200403-03.NASL", "HPUX_PHSS_30642.NASL", "OPENSSL_0_9_6M_0_9_7D.NASL", "MANDRAKE_MDKSA-2004-023.NASL", "OPENSSL_DENIAL.NASL", "REDHAT-RHSA-2004-120.NASL", "SUSE_SA_2004_007.NASL", "HPUX_PHSS_30646.NASL", "HPUX_PHSS_30645.NASL"], "type": "nessus"}, {"idList": ["SUSE-SA:2004:007"], "type": "suse"}, {"idList": ["OPENVAS:52470", "OPENVAS:53942", "OPENVAS:52647", "OPENVAS:1361412562310835158", "OPENVAS:1361412562310835044", "OPENVAS:54528", "OPENVAS:53162", "OPENVAS:835044", "OPENVAS:136141256231053942", "OPENVAS:835158"], "type": "openvas"}, {"idList": ["68233CBA-7774-11D8-89ED-0020ED76EF5A"], "type": "freebsd"}, {"idList": ["F5:K3082"], "type": "f5"}, {"idList": ["SECURITYVULNS:DOC:5919", "SECURITYVULNS:DOC:5915"], "type": "securityvulns"}, {"idList": ["GLSA-200403-03"], "type": "gentoo"}, {"idList": ["CESA-2005:829-00", "CESA-2005:830"], "type": "centos"}, {"idList": ["CISCO-SA-20040317-OPENSSL"], "type": "cisco"}, {"idList": ["OPENSSL:CVE-2004-0112", "OPENSSL:CVE-2004-0079"], "type": "openssl"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "246bb9b07f9bb58ed73e3a35f404ee41a2161df4f0ce2e5b305010860b56f495", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "fcdd6cda47ea34104e7d6474da64f4c6", "key": "sourceData"}, {"hash": "aae38b58d764d257281e310edb15f1af", "key": "cpe"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "ffcd466bd8282545acccdcbd91a7e858", "key": "description"}, {"hash": "a03d359fb0b4e439f50091cee1f89df6", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2019-01-16T20:06:11", "modified": "2018-08-09T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.3", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/09 17:06:37\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:06:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "edition": 4, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "a04d0a2ffe4f73cd44cd8e468e52c8a0d67e0186c412a7b71327be3c83b4ebfc", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a36210b4fd79daa48b126fbe6c9467fa", "key": "description"}, {"hash": "fcdd6cda47ea34104e7d6474da64f4c6", "key": "sourceData"}, {"hash": "aae38b58d764d257281e310edb15f1af", "key": "cpe"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "a03d359fb0b4e439f50091cee1f89df6", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2018-08-30T19:30:35", "modified": "2018-08-09T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.3", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/09 17:06:37\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:30:35"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "edition": 5, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "e11cf00ede7a9097195c7f613a15daadd2b4499ecc66cda26783fc7cc99ce483", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a36210b4fd79daa48b126fbe6c9467fa", "key": "description"}, {"hash": "fcdd6cda47ea34104e7d6474da64f4c6", "key": "sourceData"}, {"hash": "aae38b58d764d257281e310edb15f1af", "key": "cpe"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "a03d359fb0b4e439f50091cee1f89df6", "key": "modified"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2018-09-01T23:33:32", "modified": "2018-08-09T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.3", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/09 17:06:37\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-09-01T23:33:32"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "cvelist": ["CVE-2004-0112", "CVE-2004-0079"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1, and -current. These fix two potential denial-of-service issues in earlier versions of OpenSSL. We recommend sites that use OpenSSL upgrade to the fixed packages right away.", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "77dc746ff0e16938ceb169992ada9e7b421aaded57708aea61ded63b8052707f", "hashmap": [{"hash": "a36fc60d3f93118ff6668ebaa23af071", "key": "href"}, {"hash": "03c9fc75a218b690c14254c31707d0a4", "key": "title"}, {"hash": "19ffbc1010d8b48f47834c6ca8a21b0f", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9024ab754ee339f101e22cbcc0c75129", "key": "published"}, {"hash": "a36210b4fd79daa48b126fbe6c9467fa", "key": "description"}, {"hash": "aae38b58d764d257281e310edb15f1af", "key": "cpe"}, {"hash": "ba01738f996a524bd59e9a05c929ac06", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "fa8a21381a981c73e6deec065ed81f29", "key": "references"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "43a3ec56ec636b53af6d97a47899295c", "key": "naslFamily"}, {"hash": "fc68aa43d631a094d45eb5e59cb4cbcc", "key": "sourceData"}, {"hash": "97ea87d6e8ef74740a53e944a5d5c86d", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=18785", "id": "SLACKWARE_SSA_2004-077-01.NASL", "lastseen": "2017-10-29T13:33:25", "modified": "2013-06-01T00:00:00", "naslFamily": "Slackware Local Security Checks", "objectVersion": "1.3", "pluginID": "18785", "published": "2005-07-13T00:00:00", "references": ["http://www.nessus.org/u?1077dcbe"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2013/06/01 00:36:12 $\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_osvdb_id(4317);\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:33:25"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "aae38b58d764d257281e310edb15f1af"}, {"key": "cvelist", "hash": "19ffbc1010d8b48f47834c6ca8a21b0f"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "a36210b4fd79daa48b126fbe6c9467fa"}, {"key": "href", "hash": "a36fc60d3f93118ff6668ebaa23af071"}, {"key": "modified", "hash": "a03d359fb0b4e439f50091cee1f89df6"}, {"key": "naslFamily", "hash": "43a3ec56ec636b53af6d97a47899295c"}, {"key": "pluginID", "hash": "ba01738f996a524bd59e9a05c929ac06"}, {"key": "published", "hash": "9024ab754ee339f101e22cbcc0c75129"}, {"key": "references", "hash": "fa8a21381a981c73e6deec065ed81f29"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "fcdd6cda47ea34104e7d6474da64f4c6"}, {"key": "title", "hash": "03c9fc75a218b690c14254c31707d0a4"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "e11cf00ede7a9097195c7f613a15daadd2b4499ecc66cda26783fc7cc99ce483", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0079", "CVE-2004-0112"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2004-0112", "OPENSSL:CVE-2004-0079"]}, {"type": "nessus", "idList": ["MANDRAKE_MDKSA-2004-023.NASL", "OPENSSL_0_9_6M_0_9_7D.NASL", "SUSE_SA_2004_007.NASL", "GENTOO_GLSA-200403-03.NASL", "OPENSSL_DENIAL.NASL", "REDHAT-RHSA-2004-120.NASL", "HPUX_PHSS_30642.NASL", "HPUX_PHSS_30639.NASL", "HPUX_PHSS_30648.NASL", "HPUX_PHSS_30643.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231053942", "OPENVAS:53942", "OPENVAS:835158", "OPENVAS:1361412562310835158", "OPENVAS:54528", "OPENVAS:52647", "OPENVAS:52470", "OPENVAS:835044", "OPENVAS:1361412562310835044", "OPENVAS:53162"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:5915", "SECURITYVULNS:DOC:5919"]}, {"type": "slackware", "idList": ["SSA-2004-077-01"]}, {"type": "cisco", "idList": ["CISCO-SA-20040317-OPENSSL"]}, {"type": "f5", "idList": ["F5:K3082"]}, {"type": "cert", "idList": ["VU:465542", "VU:288574", "VU:484726"]}, {"type": "gentoo", "idList": ["GLSA-200403-03"]}, {"type": "redhat", "idList": ["RHSA-2004:120", "RHSA-2005:830", "RHSA-2005:829"]}, {"type": "suse", "idList": ["SUSE-SA:2004:007"]}, {"type": "freebsd", "idList": ["68233CBA-7774-11D8-89ED-0020ED76EF5A"]}, {"type": "osvdb", "idList": ["OSVDB:4316", "OSVDB:4317"]}, {"type": "centos", "idList": ["CESA-2005:829-00", "CESA-2005:830"]}, {"type": "debian", "idList": ["DEBIAN:DSA-465-1:89280"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-3022", "ELSA-2019-4581", "ELSA-2019-4747"]}], "modified": "2019-02-21T01:08:38"}, "score": {"value": 5.6, "vector": "NONE", "modified": "2019-02-21T01:08:38"}, "vulnersScore": 5.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2004-077-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18785);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/08/09 17:06:37\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"SSA\", value:\"2004-077-01\");\n\n script_name(english:\"Slackware 8.1 / 9.0 / 9.1 / current : OpenSSL security update (SSA:2004-077-01)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0, 9.1,\nand -current. These fix two potential denial-of-service issues in\nearlier versions of OpenSSL. We recommend sites that use OpenSSL\nupgrade to the fixed packages right away.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1077dcbe\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected openssl and / or openssl-solibs packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:openssl-solibs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"8.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.6m\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.0\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i386\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"9.1\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"openssl\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", pkgname:\"openssl-solibs\", pkgver:\"0.9.7d\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Slackware Local Security Checks", "pluginID": "18785", "cpe": ["cpe:/o:slackware:slackware_linux:8.1", "p-cpe:/a:slackware:slackware_linux:openssl", "cpe:/o:slackware:slackware_linux:9.0", "p-cpe:/a:slackware:slackware_linux:openssl-solibs", "cpe:/o:slackware:slackware_linux:9.1", "cpe:/o:slackware:slackware_linux"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:08:02", "bulletinFamily": "NVD", "description": "The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.", "modified": "2018-10-30T16:26:00", "id": "CVE-2004-0079", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0079", "published": "2004-11-23T05:00:00", "title": "CVE-2004-0079", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:08:02", "bulletinFamily": "NVD", "description": "The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.", "modified": "2018-10-30T16:26:00", "id": "CVE-2004-0112", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0112", "published": "2004-11-23T05:00:00", "title": "CVE-2004-0112", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openssl": [{"lastseen": "2016-09-26T17:22:35", "bulletinFamily": "software", "description": "The Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause a crash. Reported by OpenSSL group.", "modified": "2004-03-17T00:00:00", "published": "2004-03-17T00:00:00", "id": "OPENSSL:CVE-2004-0079", "href": "https://www.openssl.org/news/vulnerabilities.html", "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2004-0079)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:22:35", "bulletinFamily": "software", "description": "A flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. Reported by OpenSSL group (Stephen Henson).", "modified": "2004-03-17T00:00:00", "published": "2004-03-17T00:00:00", "id": "OPENSSL:CVE-2004-0112", "href": "https://www.openssl.org/news/vulnerabilities.html", "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2004-0112)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:29", "bulletinFamily": "scanner", "description": "According to its banner, the remote server is running a version of OpenSSL that is earlier than 0.9.6m or 0.9.7d. \n\nA remote attacker can crash the server by sending an overly long Kerberos ticket or a crafted SSL/TLS handshake.", "modified": "2018-11-15T00:00:00", "id": "OPENSSL_0_9_6M_0_9_7D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17750", "published": "2012-01-04T00:00:00", "title": "OpenSSL < 0.9.6m / 0.9.7d Denial of Service", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17750);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_bugtraq_id(9899);\n script_xref(name:\"CERT\", value:\"484726\");\n\n script_name(english:\"OpenSSL < 0.9.6m / 0.9.7d Denial of Service\");\n script_summary(english:\"Does a banner check\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote server is vulnerable to a denial of service attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote server is running a version of \nOpenSSL that is earlier than 0.9.6m or 0.9.7d. \n\nA remote attacker can crash the server by sending an overly long\nKerberos ticket or a crafted SSL/TLS handshake.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.us-cert.gov/ncas/alerts/ta04-078a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20040317.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://marc.info/?l=bugtraq&m=107953412903636&w=2\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to OpenSSL 0.9.6m / 0.9.7d or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"openssl_version.nasl\");\n script_require_keys(\"openssl/port\");\n\n exit(0);\n}\n\ninclude(\"openssl_version.inc\");\n\nopenssl_check_version(fixed:make_list('0.9.6m', '0.9.7d'), severity:SECURITY_WARNING);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:07:57", "bulletinFamily": "scanner", "description": "The remote host is missing the patch for the advisory SuSE-SA:2004:007 (openssl).\n\n\nOpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol.\nThe NISCC informed us about to failure conditions in openssl that can be triggered to crash applications that use the openssl library.\nThe first bug occurs during SSL/TLS handshake in the function do_change_cipher_spec() due to a NULL pointer assignment.\nThe second bug affects openssl version 0.9.7* only with Kerberos cipher suite enabled and can be triggered during SSL/TLS handshake too.\n\nPlease download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply the update.", "modified": "2016-12-27T00:00:00", "id": "SUSE_SA_2004_007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=13825", "published": "2004-07-25T00:00:00", "title": "SuSE-SA:2004:007: openssl", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SuSE-SA:2004:007\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13825);\n script_version (\"$Revision: 1.11 $\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n \n name[\"english\"] = \"SuSE-SA:2004:007: openssl\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SuSE-SA:2004:007 (openssl).\n\n\nOpenSSL is an implementation of the Secure Socket Layer (SSL v2/3)\nand Transport Layer Security (TLS v1) protocol.\nThe NISCC informed us about to failure conditions in openssl\nthat can be triggered to crash applications that use the openssl\nlibrary.\nThe first bug occurs during SSL/TLS handshake in the function\ndo_change_cipher_spec() due to a NULL pointer assignment.\nThe second bug affects openssl version 0.9.7* only with Kerberos\ncipher suite enabled and can be triggered during SSL/TLS handshake too.\n\nPlease download the update package for your distribution and verify its\nintegrity by the methods listed in section 3) of this announcement.\nThen, install the package using the command 'rpm -Fhv file.rpm' to apply\nthe update.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/2004_07_openssl.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/25\");\n script_cvs_date(\"$Date: 2016/12/27 20:14:32 $\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the openssl package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"openssl-0.9.6c-87\", release:\"SUSE8.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-devel-0.9.6c-87\", release:\"SUSE8.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-0.9.6g-114\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-devel-0.9.6g-114\", release:\"SUSE8.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-0.9.6i-21\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-devel-0.9.6i-21\", release:\"SUSE8.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-0.9.7b-133\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"openssl-devel-0.9.7b-133\", release:\"SUSE9.0\") )\n{\n security_warning(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"openssl-\", release:\"SUSE8.0\")\n || rpm_exists(rpm:\"openssl-\", release:\"SUSE8.1\")\n || rpm_exists(rpm:\"openssl-\", release:\"SUSE8.2\")\n || rpm_exists(rpm:\"openssl-\", release:\"SUSE9.0\") )\n{\n set_kb_item(name:\"CVE-2004-0079\", value:TRUE);\n set_kb_item(name:\"CVE-2004-0112\", value:TRUE);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:01", "bulletinFamily": "scanner", "description": "A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a NULL pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CVE-2004-0079 to this issue.\n\nAnother vulnerability was discovered by Stephen Henson in OpenSSL versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash.\nCVE has assigned CVE-2004-0112 to this issue.\n\nMandrakesoft urges users to upgrade to the packages provided that have been patched to protect against these problems. We would also like to thank NISCC for their assistance in coordinating the disclosure of these problems.\n\nPlease note that you will need to restart any SSL-enabled services for the patch to be effective, including (but not limited to) Apache, OpenLDAP, etc.", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2004-023.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14122", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : openssl (MDKSA-2004:023)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:023. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14122);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/07/19 20:59:13\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_xref(name:\"MDKSA\", value:\"2004:023\");\n\n script_name(english:\"Mandrake Linux Security Advisory : openssl (MDKSA-2004:023)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability was discovered by the OpenSSL group using the\nCodenomicon TLS Test Tool. The test uncovered a NULL pointer\nassignment in the do_change_cipher_spec() function whih could be\nabused by a remote attacker crafting a special SSL/TLS handshake\nagainst a server that used the OpenSSL library in such a way as to\ncause OpenSSL to crash. Depending on the application in question, this\ncould lead to a Denial of Service (DoS). This vulnerability affects\nboth OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has\nassigned CVE-2004-0079 to this issue.\n\nAnother vulnerability was discovered by Stephen Henson in OpenSSL\nversions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking\ncode when using Kerberos ciphersuites. A remote attacker could perform\na carefully crafted SSL/TLS handshake against a server configured to\nuse Kerberos ciphersuites in such a way as to cause OpenSSL to crash.\nCVE has assigned CVE-2004-0112 to this issue.\n\nMandrakesoft urges users to upgrade to the packages provided that have\nbeen patched to protect against these problems. We would also like to\nthank NISCC for their assistance in coordinating the disclosure of\nthese problems.\n\nPlease note that you will need to restart any SSL-enabled services for\nthe patch to be effective, including (but not limited to) Apache,\nOpenLDAP, etc.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl0.9.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl0.9.7-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0.9.7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0.9.7-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libopenssl0.9.7-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libopenssl0-0.9.6i-1.7.90mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libopenssl0-devel-0.9.6i-1.7.90mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"libopenssl0-static-devel-0.9.6i-1.7.90mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"openssl-0.9.6i-1.7.90mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libopenssl0-0.9.6i-1.3.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libopenssl0.9.7-0.9.7a-1.3.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libopenssl0.9.7-devel-0.9.7a-1.3.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"openssl-0.9.7a-1.3.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64openssl0.9.7-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libopenssl0.9.7-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libopenssl0.9.7-devel-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"openssl-0.9.7b-4.2.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:07:54", "bulletinFamily": "scanner", "description": "Updated OpenSSL packages that fix several remote denial of service vulnerabilities are available for Red Hat Enterprise Linux 3.\n\nThe OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3), Transport Layer Security (TLS v1) protocols, and serves as a full-strength general purpose cryptography library.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a NULL pointer assignment in the do_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0079 to this issue.\n\nStephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected by this issue.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0112 to this issue.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that may lead to a denial of service attack (infinite loop).\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0081 to this issue. This issue affects only the OpenSSL compatibility packages shipped with Red Hat Enterprise Linux 3.\n\nThese updated packages contain patches provided by the OpenSSL group that protect against these issues.\n\nAdditionally, the version of libica included in the OpenSSL packages has been updated to 1.3.5. This only affects IBM s390 and IBM eServer zSeries customers and is required for the latest openCryptoki packages.\n\nNOTE: Because server applications are affected by this issue, users are advised to either restart all services that use OpenSSL functionality or restart their systems after installing these updates.", "modified": "2018-11-15T00:00:00", "id": "REDHAT-RHSA-2004-120.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12480", "published": "2004-07-06T00:00:00", "title": "RHEL 3 : openssl (RHSA-2004:120)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:120. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12480);\n script_version (\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 11:40:29\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0081\", \"CVE-2004-0112\");\n script_bugtraq_id(9899);\n script_xref(name:\"RHSA\", value:\"2004:120\");\n\n script_name(english:\"RHEL 3 : openssl (RHSA-2004:120)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated OpenSSL packages that fix several remote denial of service\nvulnerabilities are available for Red Hat Enterprise Linux 3.\n\nThe OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\nTransport Layer Security (TLS v1) protocols, and serves as a\nfull-strength general purpose cryptography library.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test\nTool uncovered a NULL pointer assignment in the\ndo_change_cipher_spec() function in OpenSSL 0.9.6c-0.9.6k and\n0.9.7a-0.9.7c. A remote attacker could perform a carefully crafted\nSSL/TLS handshake against a server that uses the OpenSSL library in\nsuch a way as to cause OpenSSL to crash. Depending on the application\nthis could lead to a denial of service. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CVE-2004-0079\nto this issue.\n\nStephen Henson discovered a flaw in SSL/TLS handshaking code when\nusing Kerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote\nattacker could perform a carefully crafted SSL/TLS handshake against a\nserver configured to use Kerberos ciphersuites in such a way as to\ncause OpenSSL to crash. Most applications have no ability to use\nKerberos ciphersuites and will therefore be unaffected by this issue.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0112 to this issue.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test\nTool uncovered a bug in older versions of OpenSSL 0.9.6 prior to\n0.9.6d that may lead to a denial of service attack (infinite loop).\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CVE-2004-0081 to this issue. This issue affects only\nthe OpenSSL compatibility packages shipped with Red Hat Enterprise\nLinux 3.\n\nThese updated packages contain patches provided by the OpenSSL group\nthat protect against these issues.\n\nAdditionally, the version of libica included in the OpenSSL packages\nhas been updated to 1.3.5. This only affects IBM s390 and IBM eServer\nzSeries customers and is required for the latest openCryptoki\npackages.\n\nNOTE: Because server applications are affected by this issue, users\nare advised to either restart all services that use OpenSSL\nfunctionality or restart their systems after installing these updates.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0081\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0112\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.codenomicon.com/testtools/tls/\"\n );\n # http://www.niscc.gov.uk/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.cpni.gov.uk/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:120\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl096b\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:120\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"openssl-0.9.7a-33.4\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssl-devel-0.9.7a-33.4\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"openssl-perl-0.9.7a-33.4\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"i386\", reference:\"openssl096b-0.9.6b-16\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"s390\", reference:\"openssl096b-0.9.6b-16\")) flag++;\n if (rpm_check(release:\"RHEL3\", cpu:\"x86_64\", reference:\"openssl096b-0.9.6b-16\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-devel / openssl-perl / openssl096b\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:07:51", "bulletinFamily": "scanner", "description": "According to its banner, the remote host is using a version of OpenSSL which is older than 0.9.6m / 0.9.7d. There are several bugs in such versions that may allow an attacker to cause a denial of service against the remote host.", "modified": "2018-11-15T00:00:00", "id": "OPENSSL_DENIAL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12110", "published": "2004-03-17T00:00:00", "title": "OpenSSL < 0.9.6m / 0.9.7d Multiple Remote DoS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(12110);\n script_version(\"1.36\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0081\", \"CVE-2004-0112\");\n script_bugtraq_id(9899);\n\n script_name(english:\"OpenSSL < 0.9.6m / 0.9.7d Multiple Remote DoS\");\n script_summary(english:\"Checks for version of OpenSSL\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is prone to a denial of service attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote host is using a version of OpenSSL\nwhich is older than 0.9.6m / 0.9.7d. There are several bugs in such\nversions that may allow an attacker to cause a denial of service\nagainst the remote host.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20040317.txt\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Mar/155\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 0.9.6m / 0.9.7d or newer.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/03/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/03/17\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n if ( ! defined_func(\"bn_random\") )\n \tscript_dependencie(\"http_version.nasl\");\n else\n \tscript_dependencie(\"http_version.nasl\", \"macosx_SecUpd20040503.nasl\", \"redhat-RHSA-2004-119.nasl\", \"redhat-RHSA-2004-120.nasl\");\n script_require_ports(\"Services/www\", 443);\n exit(0);\n}\n\n#\n# The script code starts here - we rely on Apache to spit OpenSSL's\n# version. That sucks.\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"backport.inc\");\n\n\n\nif ( get_kb_item(\"CVE-2004-0079\") ) exit(0);\nif ( get_kb_item(\"CVE-2004-0081\") ) exit(0);\n\n#\n# Only look at the banner for now. This test needs to be improved.\n# \nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:443);\n\nforeach port (ports)\n{\n banner = get_http_banner(port:port);\n if(banner)\n {\n banner = get_backport_banner(banner:banner);\n if ( ! banner || backported ) continue;\n if(egrep(pattern:\"^Server:.*OpenSSL/0\\.9\\.([0-5][^0-9]|6[^a-z]|6[a-l]).*\", string:banner)) security_warning(port);\n else if(egrep(pattern:\"^Server:.*OpenSSL/0\\.9\\.7(-beta.*|[a-c]| .*)\", string:banner)) security_warning(port);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:03", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200403-03 (Multiple OpenSSL Vulnerabilities)\n\n Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a NULL pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue.\n A flaw has been discovered in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos cipher suites and will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue.\n Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop). This issue was traced to a fix that was added to OpenSSL 0.9.6d some time ago. This issue will affect vendors that ship older versions of OpenSSL with backported security patches.\n Impact :\n\n Although there are no public exploits known for bug, users are recommended to upgrade to ensure the security of their infrastructure.\n Workaround :\n\n There is no immediate workaround; a software upgrade is required. The vulnerable function in the code has been rewritten.", "modified": "2015-04-13T00:00:00", "id": "GENTOO_GLSA-200403-03.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14454", "published": "2004-08-30T00:00:00", "title": "GLSA-200403-03 : Multiple OpenSSL Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200403-03.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14454);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2015/04/13 13:34:21 $\");\n\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0081\", \"CVE-2004-0112\");\n script_xref(name:\"GLSA\", value:\"200403-03\");\n\n script_name(english:\"GLSA-200403-03 : Multiple OpenSSL Vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200403-03\n(Multiple OpenSSL Vulnerabilities)\n\n Testing performed by the OpenSSL group using the Codenomicon TLS Test\n Tool uncovered a NULL pointer assignment in the do_change_cipher_spec()\n function. A remote attacker could perform a carefully crafted SSL/TLS\n handshake against a server that used the OpenSSL library in such a way\n as to cause OpenSSL to crash. Depending on the application this could\n lead to a denial of service. All versions of OpenSSL from 0.9.6c to\n 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by\n this issue.\n A flaw has been discovered in SSL/TLS handshaking code when using\n Kerberos ciphersuites. A remote attacker could perform a carefully\n crafted SSL/TLS handshake against a server configured to use Kerberos\n ciphersuites in such a way as to cause OpenSSL to crash. Most\n applications have no ability to use Kerberos cipher suites and will\n therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL\n are affected by this issue.\n Testing performed by the OpenSSL group using the Codenomicon TLS Test\n Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead\n to a Denial of Service attack (infinite loop). This issue was traced to\n a fix that was added to OpenSSL 0.9.6d some time ago. This issue will\n affect vendors that ship older versions of OpenSSL with backported\n security patches.\n \nImpact :\n\n Although there are no public exploits known for bug, users are\n recommended to upgrade to ensure the security of their infrastructure.\n \nWorkaround :\n\n There is no immediate workaround; a software upgrade is required. The\n vulnerable function in the code has been rewritten.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200403-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m:\n # emerge sync\n # emerge -pv '>=dev-libs/openssl-0.9.7d'\n # emerge '>=dev-libs/openssl-0.9.7d'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/08/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-libs/openssl\", unaffected:make_list(\"ge 0.9.7d\", \"eq 0.9.6m\"), vulnerable:make_list(\"le 0.9.7c\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dev-libs/openssl\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:08:27", "bulletinFamily": "scanner", "description": "s700_800 11.04 Virtualvault 4.7 OpenSSH update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL by NISCC (224012/1 and 224012/2). The Common Vulnerabilities and Exposures project has referenced them as the following CAN-2004-0079, and CAN-2004-0112. The CERT summary is TA04-078A. 1. The do_change_cipher_spec function in OpenSSL allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112.", "modified": "2014-05-22T00:00:00", "id": "HPUX_PHSS_30640.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17525", "published": "2005-03-18T00:00:00", "title": "HP-UX PHSS_30640 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_30640. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17525);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2014/05/22 11:11:55 $\");\n\n script_cve_id(\"CVE-2003-0020\", \"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0113\", \"CVE-2004-0174\");\n script_xref(name:\"HP\", value:\"emr_na-c00944046\");\n script_xref(name:\"HP\", value:\"HPSBUX01019\");\n script_xref(name:\"HP\", value:\"SSRT4717\");\n\n script_name(english:\"HP-UX PHSS_30640 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 Virtualvault 4.7 OpenSSH update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL\nby NISCC (224012/1 and 224012/2). The Common Vulnerabilities and\nExposures project has referenced them as the following CAN-2004-0079,\nand CAN-2004-0112. The CERT summary is TA04-078A. 1. The\ndo_change_cipher_spec function in OpenSSL allows remote attackers to\ncause a denial of service via a crafted SSL/TLS handshake that\ntriggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking,\nwhen using Kerberos ciphersuites, does not properly check the length\nof Kerberos tickets during a handshake, which allows remote attackers\nto cause a denial of service via a crafted SSL/TLS handshake that\ncauses an out-of-bounds read. CVE-2004-0112.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00944046\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6195bc72\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_30640 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/05/04\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2007/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHSS_30640 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHSS_30640\", \"PHSS_34566\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"VaultTS.VV-OPENSSH\", version:\"A.04.70\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:08:27", "bulletinFamily": "scanner", "description": "s700_800 11.04 Virtualvault 4.6 IWS update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL by NISCC (224012/1 and 224012/2). The Common Vulnerabilities and Exposures project has referenced them as the following CAN-2004-0079, and CAN-2004-0112. The CERT summary is TA04-078A. 1. The do_change_cipher_spec function in OpenSSL allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112.", "modified": "2014-05-22T00:00:00", "id": "HPUX_PHSS_30643.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17528", "published": "2005-03-18T00:00:00", "title": "HP-UX PHSS_30643 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_30643. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17528);\n script_version(\"$Revision: 1.17 $\");\n script_cvs_date(\"$Date: 2014/05/22 11:11:55 $\");\n\n script_cve_id(\"CVE-2003-0020\", \"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0113\", \"CVE-2004-0174\");\n script_xref(name:\"HP\", value:\"emr_na-c00944046\");\n script_xref(name:\"HP\", value:\"HPSBUX01019\");\n script_xref(name:\"HP\", value:\"SSRT4717\");\n\n script_name(english:\"HP-UX PHSS_30643 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 Virtualvault 4.6 IWS update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL\nby NISCC (224012/1 and 224012/2). The Common Vulnerabilities and\nExposures project has referenced them as the following CAN-2004-0079,\nand CAN-2004-0112. The CERT summary is TA04-078A. 1. The\ndo_change_cipher_spec function in OpenSSL allows remote attackers to\ncause a denial of service via a crafted SSL/TLS handshake that\ntriggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking,\nwhen using Kerberos ciphersuites, does not properly check the length\nof Kerberos tickets during a handshake, which allows remote attackers\nto cause a denial of service via a crafted SSL/TLS handshake that\ncauses an out-of-bounds read. CVE-2004-0112.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00944046\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6195bc72\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_30643 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/06\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2007/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHSS_30643 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHSS_30643\", \"PHSS_30946\", \"PHSS_31825\", \"PHSS_32139\", \"PHSS_32206\", \"PHSS_34170\", \"PHSS_35105\", \"PHSS_35307\", \"PHSS_35459\", \"PHSS_35554\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"VaultTS.VV-IWS\", version:\"A.04.60\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:08:27", "bulletinFamily": "scanner", "description": "s700_800 11.04 Virtualvault 4.6 OWS update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL by NISCC (224012/1 and 224012/2). The Common Vulnerabilities and Exposures project has referenced them as the following CAN-2004-0079, and CAN-2004-0112. The CERT summary is TA04-078A. 1. The do_change_cipher_spec function in OpenSSL allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112.", "modified": "2014-05-22T00:00:00", "id": "HPUX_PHSS_30645.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17530", "published": "2005-03-18T00:00:00", "title": "HP-UX PHSS_30645 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_30645. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17530);\n script_version(\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2014/05/22 11:11:55 $\");\n\n script_cve_id(\"CVE-2003-0020\", \"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0113\", \"CVE-2004-0174\");\n script_xref(name:\"HP\", value:\"emr_na-c00944046\");\n script_xref(name:\"HP\", value:\"HPSBUX01019\");\n script_xref(name:\"HP\", value:\"SSRT4717\");\n\n script_name(english:\"HP-UX PHSS_30645 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 Virtualvault 4.6 OWS update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL\nby NISCC (224012/1 and 224012/2). The Common Vulnerabilities and\nExposures project has referenced them as the following CAN-2004-0079,\nand CAN-2004-0112. The CERT summary is TA04-078A. 1. The\ndo_change_cipher_spec function in OpenSSL allows remote attackers to\ncause a denial of service via a crafted SSL/TLS handshake that\ntriggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking,\nwhen using Kerberos ciphersuites, does not properly check the length\nof Kerberos tickets during a handshake, which allows remote attackers\nto cause a denial of service via a crafted SSL/TLS handshake that\ncauses an out-of-bounds read. CVE-2004-0112.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00944046\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6195bc72\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_30645 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/21\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2007/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHSS_30645 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHSS_30645\", \"PHSS_30947\", \"PHSS_31057\", \"PHSS_31826\", \"PHSS_32183\", \"PHSS_33397\", \"PHSS_34120\", \"PHSS_35108\", \"PHSS_35462\", \"PHSS_35557\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"VaultTS.VV-CORE-CMN\", version:\"A.04.60\")) flag++;\nif (hpux_check_patch(app:\"VaultTS.VV-IWS-GUI\", version:\"A.04.60\")) flag++;\nif (hpux_check_patch(app:\"VaultTS.VV-IWS-JAVA\", version:\"A.04.60\")) flag++;\nif (hpux_check_patch(app:\"VaultWS.WS-CORE\", version:\"A.04.60\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:08:27", "bulletinFamily": "scanner", "description": "s700_800 11.04 Virtualvault 4.6 TGP update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL by NISCC (224012/1 and 224012/2). The Common Vulnerabilities and Exposures project has referenced them as the following CAN-2004-0079, and CAN-2004-0112. The CERT summary is TA04-078A. 1. The do_change_cipher_spec function in OpenSSL allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112.", "modified": "2014-05-22T00:00:00", "id": "HPUX_PHSS_30646.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=17531", "published": "2005-03-18T00:00:00", "title": "HP-UX PHSS_30646 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHSS_30646. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17531);\n script_version(\"$Revision: 1.15 $\");\n script_cvs_date(\"$Date: 2014/05/22 11:11:55 $\");\n\n script_cve_id(\"CVE-2003-0020\", \"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0113\", \"CVE-2004-0174\");\n script_xref(name:\"HP\", value:\"emr_na-c00944046\");\n script_xref(name:\"HP\", value:\"HPSBUX01019\");\n script_xref(name:\"HP\", value:\"SSRT4717\");\n\n script_name(english:\"HP-UX PHSS_30646 : HP-UX Running Apache, Remote Denial of Service (DoS) (HPSBUX01019 SSRT4717 rev.3)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 Virtualvault 4.6 TGP update : \n\nTwo potential security vulnerabilities have been identified in OpenSSL\nby NISCC (224012/1 and 224012/2). The Common Vulnerabilities and\nExposures project has referenced them as the following CAN-2004-0079,\nand CAN-2004-0112. The CERT summary is TA04-078A. 1. The\ndo_change_cipher_spec function in OpenSSL allows remote attackers to\ncause a denial of service via a crafted SSL/TLS handshake that\ntriggers a null dereference. CVE-2004-0079 2. The SSL/TLS handshaking,\nwhen using Kerberos ciphersuites, does not properly check the length\nof Kerberos tickets during a handshake, which allows remote attackers\nto cause a denial of service via a crafted SSL/TLS handshake that\ncauses an out-of-bounds read. CVE-2004-0112.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00944046\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6195bc72\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHSS_30646 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/04/19\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2007/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHSS_30646 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHSS_30646\", \"PHSS_34165\", \"PHSS_35480\", \"PHSS_35559\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"VaultTGP.TGP-CORE\", version:\"A.04.60\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:44", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-077-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53942", "id": "OPENVAS:53942", "title": "Slackware Advisory SSA:2004-077-01 OpenSSL security update", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_077_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0,\n9.1, and -current. These fix two potential denial-of-service\nissues in earlier versions of OpenSSL.\n\nWe recommend sites that use OpenSSL upgrade to the fixed packages\nright away.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2004-077-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-077-01\";\n \nif(description)\n{\n script_id(53942);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2004-077-01 OpenSSL security update \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.6m-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.6m-i386-1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.7d-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.7d-i386-1\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.7d-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.7d-i486-1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2004-077-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231053942", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231053942", "title": "Slackware Advisory SSA:2004-077-01 OpenSSL security update", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2004_077_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.53942\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2004-077-01 OpenSSL security update\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(8\\.1|9\\.0|9\\.1)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2004-077-01\");\n\n script_tag(name:\"insight\", value:\"Upgraded OpenSSL packages are available for Slackware 8.1, 9.0,\n9.1, and -current. These fix two potential denial-of-service\nissues in earlier versions of OpenSSL.\n\nWe recommend sites that use OpenSSL upgrade to the fixed packages\nright away.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2004-077-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.6m-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.6m-i386-1\", rls:\"SLK8.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.7d-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.7d-i386-1\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssl\", ver:\"0.9.7d-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"openssl-solibs\", ver:\"0.9.7d-i486-1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-04-09T11:39:39", "bulletinFamily": "scanner", "description": "Check for the Version of AAA Server", "modified": "2018-04-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835158", "id": "OPENVAS:1361412562310835158", "type": "openvas", "title": "HP-UX Update for AAA Server HPSBUX01011", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for AAA Server HPSBUX01011\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote denial of service.\";\ntag_affected = \"AAA Server on\n HP-UX B.11.00 and B.11.11 running HP-UX AAA Server A.06.01.02.04 HP-UX \n B.11.23 running HP-UX AAA Server A.06.01.02.06.\";\ntag_insight = \"A potential security vulnerability has been identified withthe HP-UX AAA \n server where an unauthenticated remote attackercould cause a Denial of \n Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00897351-2\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835158\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01011\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0081\");\n script_name( \"HP-UX Update for AAA Server HPSBUX01011\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of AAA Server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:18", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200403-03.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54528", "id": "OPENVAS:54528", "title": "Gentoo Security Advisory GLSA 200403-03 (OpenSSL)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Three vulnerabilities have been found in OpenSSL via a commercial test\nsuite for the TLS protocol developed by Codenomicon Ltd.\";\ntag_solution = \"All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m:\n\n # emerge sync\n # emerge -pv '>=dev-libs/openssl-0.9.7d'\n # emerge '>=dev-libs/openssl-0.9.7d'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200403-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=44941\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200403-03.\";\n\n \n\nif(description)\n{\n script_id(54528);\n script_cve_id(\"CVE-2004-0079\",\"CVE-2004-0081\",\"CVE-2004-0112\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200403-03 (OpenSSL)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"dev-libs/openssl\", unaffected: make_list(\"ge 0.9.7d\", \"eq 0.9.6m\"), vulnerable: make_list(\"le 0.9.7c\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:27", "bulletinFamily": "scanner", "description": "Check for the Version of AAA Server", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=835158", "id": "OPENVAS:835158", "title": "HP-UX Update for AAA Server HPSBUX01011", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for AAA Server HPSBUX01011\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote denial of service.\";\ntag_affected = \"AAA Server on\n HP-UX B.11.00 and B.11.11 running HP-UX AAA Server A.06.01.02.04 HP-UX \n B.11.23 running HP-UX AAA Server A.06.01.02.06.\";\ntag_insight = \"A potential security vulnerability has been identified withthe HP-UX AAA \n server where an unauthenticated remote attackercould cause a Denial of \n Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00897351-2\");\n script_id(835158);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01011\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0112\", \"CVE-2004-0081\");\n script_name( \"HP-UX Update for AAA Server HPSBUX01011\");\n\n script_summary(\"Check for the Version of AAA Server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"AAAServer\", revision:\"A.06.01.02.07\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-26T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52470", "id": "OPENVAS:52470", "title": "FreeBSD Ports: openssl, openssl-beta", "type": "openvas", "sourceData": "#\n#VID 68233cba-7774-11d8-89ed-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n openssl\n openssl-beta\n\nCVE-2004-0079\nThe do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and\n0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service\n(crash) via a crafted SSL/TLS handshake that triggers a null\ndereference.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.openssl.org/news/secadv_20040317.txt\nhttp://www.vuxml.org/freebsd/68233cba-7774-11d8-89ed-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52470);\n script_version(\"$Revision: 4144 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-26 07:28:56 +0200 (Mon, 26 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0079\");\n script_bugtraq_id(9899);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"FreeBSD Ports: openssl, openssl-beta\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"openssl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.9.7d\")<0) {\n txt += 'Package openssl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"openssl-beta\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.9.7d\")<0) {\n txt += 'Package openssl-beta version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-12-08T11:44:46", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-04:05.openssl.asc", "modified": "2017-12-07T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52647", "id": "OPENVAS:52647", "title": "FreeBSD Security Advisory (FreeBSD-SA-04:05.openssl.asc)", "type": "openvas", "sourceData": "#\n#ADV FreeBSD-SA-04:05.openssl.asc\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n#\n\ntag_insight = \"FreeBSD includes software from the OpenSSL Project. The OpenSSL\nProject is a collaborative effort to develop a robust, commercial-\ngrade, full-featured, and Open Source toolkit implementing the Secure\nSockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)\nprotocols as well as a full-strength general purpose cryptography\nlibrary.\n\nWhen processing an SSL/TLS ChangeCipherSpec message, OpenSSL may fail to\ncheck that a new cipher has been previously negotiated. This may result\nin a null pointer dereference.\";\ntag_solution = \"Upgrade your system to the appropriate stable release\nor security branch dated after the correction date\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FreeBSD-SA-04:05.openssl.asc\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory FreeBSD-SA-04:05.openssl.asc\";\n\n \nif(description)\n{\n script_id(52647);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_bugtraq_id(9899);\n script_cve_id(\"CVE-2004-0079\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n name = \"FreeBSD Security Advisory (FreeBSD-SA-04:05.openssl.asc)\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n family = \"FreeBSD Local Security Checks\";\n script_family(family);\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdpatchlevel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\nif(patchlevelcmp(rel:\"5.2.1\", patchlevel:\"3\")<0) {\n vuln = 1;\n}\nif(patchlevelcmp(rel:\"5.1\", patchlevel:\"16\")<0) {\n vuln = 1;\n}\nif(patchlevelcmp(rel:\"4.9\", patchlevel:\"4\")<0) {\n vuln = 1;\n}\nif(patchlevelcmp(rel:\"4.8\", patchlevel:\"17\")<0) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update to openssl,openssl094,openssl095\nannounced via advisory DSA 465-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53162", "id": "OPENVAS:53162", "title": "Debian Security Advisory DSA 465-1 (openssl,openssl094,openssl095)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_465_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 465-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities were discovered in openssl, an implementation of\nthe SSL protocol, using the Codenomicon TLS Test Tool. More\ninformation can be found in the following NISCC Vulnerability\nAdvisory:\n\nhttp://www.uniras.gov.uk/vuls/2004/224012/index.htm\n\nand this OpenSSL advisory:\n\nhttp://www.openssl.org/news/secadv_20040317.txt\n\n- CVE-2004-0079 - null-pointer assignment in the\ndo_change_cipher_spec() function. A remote attacker could perform\na carefully crafted SSL/TLS handshake against a server that used\nthe OpenSSL library in such a way as to cause OpenSSL to crash.\nDepending on the application this could lead to a denial of\nservice.\n\n- CVE-2004-0081 - a bug in older versions of OpenSSL 0.9.6 that\ncan lead to a Denial of Service attack (infinite loop).\n\nFor the stable distribution (woody) these problems have been fixed in\nopenssl version 0.9.6c-2.woody.6, openssl094 version 0.9.4-6.woody.4\nand openssl095 version 0.9.5a-6.woody.5.\n\nFor the unstable distribution (sid) these problems will be fixed soon.\n\nWe recommend that you update your openssl package.\";\ntag_summary = \"The remote host is missing an update to openssl,openssl094,openssl095\nannounced via advisory DSA 465-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20465-1\";\n\nif(description)\n{\n script_id(53162);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0079\", \"CVE-2004-0081\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 465-1 (openssl,openssl094,openssl095)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ssleay\", ver:\"0.9.6c-2.woody.6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl-dev\", ver:\"0.9.6c-2.woody.6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl0.9.6\", ver:\"0.9.6c-2.woody.6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"openssl\", ver:\"0.9.6c-2.woody.6\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl095a\", ver:\"0.9.5a-6.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libssl09\", ver:\"0.9.4-6.woody.3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:56:34", "bulletinFamily": "scanner", "description": "Check for the Version of Apache", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=835044", "id": "OPENVAS:835044", "title": "HP-UX Update for Apache HPSBUX01019", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01019\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server. HP-UX B.11.04.\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX running \n Apache. These vulnerabilities could be exploited remotely to create a Denial \n of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00944046-1\");\n script_id(835044);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01019\");\n script_cve_id(\"CVE-2003-0079\", \"CVE-2004-0112\");\n script_name( \"HP-UX Update for Apache HPSBUX01019\");\n\n script_summary(\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.49.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.22\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.11.23\", rls:\"HPUX11.22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.04\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30639'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-OPENSSH\", patch_list:['PHSS_30640'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30641'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTGP.TGP-CORE\", patch_list:['PHSS_30642'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30643'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-OPENSSH\", patch_list:['PHSS_30644'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30645'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTGP.TGP-CORE\", patch_list:['PHSS_30646'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30647'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30648'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"HP_Webproxy.HPWEB-PX-CORE\", patch_list:['PHSS_30649'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"HP_Webproxy.HPWEB-PX-CORE\", patch_list:['PHSS_30650'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.49.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.49.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.49.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-09T11:39:58", "bulletinFamily": "scanner", "description": "Check for the Version of Apache", "modified": "2018-04-06T00:00:00", "published": "2009-05-05T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310835044", "id": "OPENVAS:1361412562310835044", "title": "HP-UX Update for Apache HPSBUX01019", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for Apache HPSBUX01019\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote Denial of Service (DoS)\";\ntag_affected = \"Apache on\n HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 running the hpuxwsAPACHE HP-UX \n Apache-based Web Server. HP-UX B.11.04.\";\ntag_insight = \"Potential security vulnerabilities have been identified with HP-UX running \n Apache. These vulnerabilities could be exploited remotely to create a Denial \n of Service (DoS).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c00944046-1\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.835044\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"HPSBUX\", value: \"01019\");\n script_cve_id(\"CVE-2003-0079\", \"CVE-2004-0112\");\n script_name( \"HP-UX Update for Apache HPSBUX01019\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of Apache\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.00\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.49.00\", rls:\"HPUX11.00\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.22\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.11.23\", rls:\"HPUX11.22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.04\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30639'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-OPENSSH\", patch_list:['PHSS_30640'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30641'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTGP.TGP-CORE\", patch_list:['PHSS_30642'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30643'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-OPENSSH\", patch_list:['PHSS_30644'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30645'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTGP.TGP-CORE\", patch_list:['PHSS_30646'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultTS.VV-IWS\", patch_list:['PHSS_30647'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"VaultWS.WS-CORE\", patch_list:['PHSS_30648'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"HP_Webproxy.HPWEB-PX-CORE\", patch_list:['PHSS_30649'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"HP_Webproxy.HPWEB-PX-CORE\", patch_list:['PHSS_30650'], rls:\"HPUX11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"A.2.0.49.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.49.00\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"hpuxwsAPACHE\", revision:\"B.2.0.49.00\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "OpenSSL Security Advisory [17 March 2004]\r\n\r\nUpdated versions of OpenSSL are now available which correct two \r\nsecurity issues:\r\n\r\n\r\n1. Null-pointer assignment during SSL handshake\r\n===============================================\r\n\r\nTesting performed by the OpenSSL group using the Codenomicon TLS Test\r\nTool uncovered a null-pointer assignment in the\r\ndo_change_cipher_spec() function. A remote attacker could perform a\r\ncarefully crafted SSL/TLS handshake against a server that used the\r\nOpenSSL library in such a way as to cause OpenSSL to crash. Depending\r\non the application this could lead to a denial of service.\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0079 to this issue.\r\n\r\nAll versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from\r\n0.9.7a to 0.9.7c inclusive are affected by this issue. Any\r\napplication that makes use of OpenSSL's SSL/TLS library may be\r\naffected. Please contact your application vendor for details.\r\n\r\n\r\n2. Out-of-bounds read affects Kerberos ciphersuites\r\n===================================================\r\n\r\nStephen Henson discovered a flaw in SSL/TLS handshaking code when\r\nusing Kerberos ciphersuites. A remote attacker could perform a\r\ncarefully crafted SSL/TLS handshake against a server configured to use\r\nKerberos ciphersuites in such a way as to cause OpenSSL to crash.\r\nMost applications have no ability to use Kerberos ciphersuites and\r\nwill therefore be unaffected.\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\nassigned the name CAN-2004-0112 to this issue.\r\n\r\nVersions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this\r\nissue. Any application that makes use of OpenSSL's SSL/TLS library\r\nmay be affected. Please contact your application vendor for details.\r\n\r\nRecommendations\r\n---------------\r\n\r\nUpgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications\r\nstatically linked to OpenSSL libraries.\r\n\r\nOpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and\r\nFTP from the following master locations (you can find the various FTP\r\nmirrors under http://www.openssl.org/source/mirror.html):\r\n\r\n ftp://ftp.openssl.org/source/\r\n\r\nThe distribution file names are:\r\n\r\n o openssl-0.9.7d.tar.gz\r\n MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5\r\n \r\n o openssl-0.9.6m.tar.gz [normal]\r\n MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9\r\n o openssl-engine-0.9.6m.tar.gz [engine]\r\n MD5 checksum: 4c39d2524bd466180f9077f8efddac8c\r\n\r\nThe checksums were calculated using the following command:\r\n\r\n openssl md5 openssl-0.9*.tar.gz\r\n\r\nCredits\r\n-------\r\n\r\nPatches for these issues were created by Dr Stephen Henson\r\n(steve@openssl.org) of the OpenSSL core team. The OpenSSL team would\r\nlike to thank Codenomicon for supplying the TLS Test Tool which was\r\nused to discover these vulnerabilities, and Joe Orton of Red Hat for\r\nperforming the majority of the testing.\r\n\r\nReferences\r\n----------\r\n\r\nhttp://www.codenomicon.com/testtools/tls/\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112\r\n\r\nURL for this Security Advisory:\r\nhttp://www.openssl.org/news/secadv_20040317.txt\r\n\r\n\r\n\r\n", "modified": "2004-03-17T00:00:00", "published": "2004-03-17T00:00:00", "id": "SECURITYVULNS:DOC:5915", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5915", "title": "OpenSSL Security Advisory [17 March 2004]", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nTechnical Cyber Security Alert TA04-078A\r\n\r\nMultiple Vulnerabilities in OpenSSL\r\n\r\n Original release date: March 18, 2004\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Applications and systems that use the OpenSSL SSL/TLS library\r\n\r\n\r\nOverview\r\n\r\n Several vulnerabilities in the OpenSSL SSL/TLS library could allow an\r\n unauthenticated, remote attacker to cause a denial of service.\r\n\r\n\r\nI. Description\r\n\r\n OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer\r\n Security (TLS) protocols and includes a general purpose cryptographic\r\n library. SSL and TLS are commonly used to provide authentication,\r\n encryption, integrity, and non-repudiation services to network\r\n applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is\r\n widely deployed across a variety of platforms and systems. In\r\n particular, many routers and other types of networking equipment use\r\n OpenSSL.\r\n\r\n The U.K. National Infrastructure Security Co-ordination Centre (NISCC)\r\n and the OpenSSL Project have reported three vulnerabilities in the\r\n OpenSSL SSL/TLS library (libssl). Any application or system that uses\r\n this library may be affected.\r\n\r\n VU#288574 - OpenSSL contains null-pointer assignment in\r\n do_change_cipher_spec() function\r\n\r\n Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to\r\n 0.9.7c inclusive contain a null-pointer assignment in the\r\n do_change_cipher_spec() function. By performing a specially crafted\r\n SSL/TLS handshake, an attacker could cause OpenSSL to crash, which\r\n may result in a denial of service in the target application.\r\n \r\n (Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079,\r\n NISCC/224012/OpenSSL/1)\r\n\r\n VU#484726 - OpenSSL does not adequately validate length of Kerberos\r\n tickets during SSL/TLS handshake\r\n\r\n Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately\r\n validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS\r\n handshake. OpenSSL is not configured to use Kerberos by default. By\r\n performing a specially crafted SSL/TLS handshake with an OpenSSL\r\n system configured to use Kerberos, an attacker could cause OpenSSL\r\n to crash, which may result in a denial of service in the target\r\n application. OpenSSL 0.9.6 is not affected.\r\n \r\n (Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112,\r\n NISCC/224012/OpenSSL/2)\r\n\r\n VU#465542 - OpenSSL does not properly handle unknown message types\r\n\r\n OpenSSL prior to version 0.9.6d does not properly handle unknown\r\n SSL/TLS message types. An attacker could cause the application using\r\n OpenSSL to enter an infinite loop, which may result in a denial of\r\n service in the target application. OpenSSL 0.9.7 is not affected.\r\n \r\n (Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3)\r\n\r\n\r\nII. Impact\r\n\r\n An unauthenticated, remote attacker could cause a denial of service in\r\n any application or system that uses a vulnerable OpenSSL SSL/TLS\r\n library.\r\n\r\n\r\nIII. Solution\r\n\r\nUpgrade or Apply a patch from your vendor\r\n\r\n Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a\r\n patch as specified by your vendor. Note that it is necessary to\r\n recompile any applications that are statically linked to the OpenSSL\r\n SSL/TLS library.\r\n\r\n\r\nAppendix A. Vendor Information\r\n\r\n Multiple vendors are affected by different combinations of these\r\n vulnerabilities. For updated information, please see the Systems\r\n Affected sections of VU#288574, VU#484726, and VU#465542.\r\n\r\n\r\nAppendix B. References\r\n\r\n * US-CERT Technical Cyber Security Alert TA04-078A -\r\n <http://www.us-cert.gov/cas/techalerts/TA04-078A.html>\r\n * Vulnerability Note VU#288574 -\r\n <http://www.kb.cert.org/vuls/id/288574>\r\n * Vulnerability Note VU#484726 -\r\n <http://www.kb.cert.org/vuls/id/484726>\r\n * Vulnerability Note VU#465542 -\r\n <http://www.kb.cert.org/vuls/id/465542>\r\n * OpenSSL Security Advisory [17 March 2004] -\r\n <http://www.openssl.org/news/secadv_20040317.txt>\r\n * NISCC Vulnerability Advisory 224012 -\r\n <http://www.uniras.gov.uk/vuls/2004/224012/index.htm>\r\n * RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer\r\n Security (TLS) - <http://www.ietf.org/rfc/rfc2712.txt>\r\n\r\n _________________________________________________________________\r\n\r\n These vulnerabilities were researched and reported by the OpenSSL\r\n Project and the U.K. National Infrastructure Security Co-ordination\r\n Centre (NISCC).\r\n _________________________________________________________________\r\n\r\n Feedback can be directed to the authors: Art Manion and Damon Morda.\r\n _________________________________________________________________\r\n\r\n\r\n Copyright 2004 Carnegie Mellon University. Terms of use.\r\n\r\n Revision History\r\n\r\n March 18, 2004: Initial release\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niD8DBQFAWiHMXlvNRxAkFWARAvBKAJ4zD2uh0dqSXy4CjyPphrJlcpAD/QCfZASx\r\nPLs+5hkNGzVPGQF08K2kPj0=\r\n=Lxfo\r\n-----END PGP SIGNATURE-----", "modified": "2004-03-19T00:00:00", "published": "2004-03-19T00:00:00", "id": "SECURITYVULNS:DOC:5919", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5919", "title": "US-CERT Technical Cyber Security Alert TA04-078A -- Multiple Vulnerabilities in OpenSSL", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "slackware": [{"lastseen": "2019-05-30T07:36:43", "bulletinFamily": "unix", "description": "Upgraded OpenSSL packages are available for Slackware 8.1, 9.0,\n9.1, and -current. These fix two potential denial-of-service\nissues in earlier versions of OpenSSL.\n\nWe recommend sites that use OpenSSL upgrade to the fixed packages\nright away.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112\n\nHere are the details from the Slackware 9.1 ChangeLog:\n\nWed Mar 17 14:41:42 PST 2004\npatches/packages/openssl-0.9.7d-i486-1.tgz: Upgraded to openssl-0.9.7d.\npatches/packages/openssl-solibs-0.9.7d-i486-1.tgz: Upgraded to\n openssl-0.9.7d. This fixes two potential denial-of-service issues in\n earlier versions of OpenSSL. For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112\n (* Security fix *)\n\nWHERE TO FIND THE NEW PACKAGES:\n\nUpdated packages for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-0.9.6m-i386-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/openssl-solibs-0.9.6m-i386-1.tgz\n\nUpdated packages for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssl-0.9.7d-i386-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/openssl-solibs-0.9.7d-i386-1.tgz\n\nUpdated packages for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssl-0.9.7d-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/openssl-solibs-0.9.7d-i486-1.tgz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-0.9.7d-i486-1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-0.9.7d-i486-1.tgz\n\n\nMD5 SIGNATURES:\n\nSlackware 8.1 packages:\n9526929bee40c6f29ddd3e9549deff3a openssl-0.9.6m-i386-1.tgz\n8e9e9121276309c6082d4f16aa1ba31e openssl-solibs-0.9.6m-i386-1.tgz\n\nSlackware 9.0 packages:\n51738802d6c2c33852870e5921a96b71 openssl-0.9.7d-i386-1.tgz\n18a9c560acf5c9df7f782bd16455d964 openssl-solibs-0.9.7d-i386-1.tgz\n\nSlackware 9.1 packages:\n24e4d36cf911d45c5e33a075bb353a85 openssl-0.9.7d-i486-1.tgz\nb53517348c04a279fb8139d98367f1cb openssl-solibs-0.9.7d-i486-1.tgz\n\nSlackware -current packages:\n04df11995b00fcd19cdf2ced00c962eb openssl-0.9.7d-i486-1.tgz\nbd21b8d487217758b903bdbc9ac309a1 openssl-solibs-0.9.7d-i486-1.tgz\n\n\nINSTALLATION INSTRUCTIONS:\n\nUpgrade using upgradepkg (as root):\n > upgradepkg openssl-0.9.7d-i486-1.tgz openssl-solibs-0.9.7d-i486-1.tgz", "modified": "2004-03-17T17:34:04", "published": "2004-03-17T17:34:04", "id": "SSA-2004-077-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961", "title": "OpenSSL security update", "type": "slackware", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cert": [{"lastseen": "2019-10-09T19:52:38", "bulletinFamily": "info", "description": "### Overview \n\nOpenSSL contains a null-pointer assignment in the `do_change_cipher_spec()` function which could allow a remote, unauthenticated attacker to cause OpenSSL to crash.\n\n### Description \n\n[OpenSSL](<http://www.openssl.org/>) implements the Secure Sockets Layer (SSL) and Transport Layer Security ([TLS](<http://www.ietf.org/rfc/rfc2246.txt>)) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.\n\nVersions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the `do_change_cipher_spec()` function. By sending a specially crafted SSL/TLS handshake to an application that uses a vulnerable OpenSSL library, a remote, unauthenticated attacker could cause OpenSSL to crash. \n \nFurther information is available in an advisory from [OpenSSL](<http://www.openssl.org/news/secadv_20040317.txt>) and [NISCC/224012/OpenSSL/1](<http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-1204.txt>). \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL. \n \n--- \n \n### Solution \n\n**Upgrade or Patch** \nUpgrade to OpenSSL 0.9.7d or 0.9.6m. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries. \n \n--- \n \n### Vendor Information\n\n288574\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nNotified: March 17, 2004 Updated: May 06, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThis is fixed in Security Update 2004-04-05, and further information is available from <http://docs.info.apple.com/article.html?artnum=61798>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ __ Check Point\n\nNotified: March 17, 2004 Updated: March 25, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nCheck Point products are vulnerable to: CAN-2004-0079 and CAN-2004-0081\n\nCAN-2004-0112 is not relevant to Check Point products. \n \nA fix is available for download from the Check Point Web site ([http://www.checkpoint.com](<http://www.checkpoint.com/>)).\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ __ Debian\n\nNotified: March 17, 2004 Updated: March 26, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWe have addressed CAN-2004-0079 and CAN-2004-0081 in [DSA-456](<http://www.debian.org/security/2004/dsa-465>). CAN-2004-0112 does not affect our stable release.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ OpenSSL\n\nUpdated: March 16, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Red Hat Inc.\n\nNotified: March 17, 2004 Updated: March 25, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ __ SuSE Inc.\n\nNotified: March 17, 2004 Updated: March 25, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSUSE LINUX released their update packages and security advisory on the 17th of March.\n\n \n<http://www.suse.de/de/security/2004_07_openssl.html> [SuSE-SA:2004:007]\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ __ Extreme Networks\n\nNotified: March 17, 2004 Updated: March 26, 2004 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nExtreme product suite is not vulnerable.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ 3Com\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Alcatel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Apache\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Apache-SSL\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ At&T\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Avaya\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ BSDI\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Borderware\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ COVERT Labs\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Certicom\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Cisco Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Clavister\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Computer Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Conectiva\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Covalent\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Cray Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ D-Link Systems\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Dan Bernstein\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ EMC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Engarde\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ F-Secure\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ F5 Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Foundry Networks Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ FreeBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ FreeS/WAN\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Fujitsu\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Global Technology Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Hitachi\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ IBM\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ IP Filter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Ingrian Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Intel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Internet Initiative Japan (IIJ)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Intoto\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Juniper Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ KAME Project\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Lachman\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Linksys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Lotus Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Lucent Technologies\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ MandrakeSoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Microsoft Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Multi-Tech Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Multinet\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ NCSA\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ NEC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ NETBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ NIST\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ NetScreen\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Netfilter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Network Appliance\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Nokia\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Nortel Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Novell\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ OpenBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Redback Networks Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Riverstone Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ SCO\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ SGI\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ SSH Communications Security\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ SafeNet\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Secure Computing Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ SecureWorks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Sequent\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Sony Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Stonesoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Sun Microsystems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Symantec Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ TurboLinux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Unisys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ WatchGuard\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Wind River Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ Wirex\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ ZyXEL\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\n### __ eSoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23288574 Feedback>).\n\nView all 85 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.openssl.org/news/secadv_20040317.txt>\n * <http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-1204.txt>\n * <http://www.openssl.org>\n\n### Acknowledgements\n\nThis vulnerability was discovered by the OpenSSL Project and reported by the National Infrastructure Security Co-ordination Centre (NISCC).\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0079](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0079>) \n---|--- \n**Severity Metric:****** | 27.38 \n**Date Public:** | 2004-03-17 \n**Date First Published:** | 2004-03-17 \n**Date Last Updated: ** | 2004-03-26 21:58 UTC \n**Document Revision: ** | 19 \n", "modified": "2004-03-26T21:58:00", "published": "2004-03-17T00:00:00", "id": "VU:288574", "href": "https://www.kb.cert.org/vuls/id/288574", "type": "cert", "title": "OpenSSL contains null-pointer assignment in do_change_cipher_spec() function", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-09T19:52:39", "bulletinFamily": "info", "description": "### Overview \n\nOpenSSL does not properly handle unknown message types, allowing an unauthenticated, remote attacker to cause a denial of service. This vulnerability was addressed in OpenSSL [0.9.6d](<http://cvs.openssl.org/chngview?cn=5721>) and [0.9.7](<http://cvs.openssl.org/chngview?cn=5722>).\n\n### Description \n\n[OpenSSL](<http://www.openssl.org/>) implements the Secure Sockets Layer (SSL) and Transport Layer Security ([TLS](<http://www.ietf.org/rfc/rfc2246.txt>)) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.\n\nOpenSSL prior to version 0.9.6d does not properly handle unknown message types. An attacker could cause the application using OpenSSL to enter an infinite loop, resulting in a denial of service. \n \nFurther information is available in [NISCC/224012/OpenSSL/3](<http://www.uniras.gov.uk/vuls/2004/224012/index.htm>). \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker could cause a denial of service in an application that uses OpenSSL. \n \n--- \n \n### Solution \n\n**Upgrade or Patch** \nThis vulnerability was addressed in OpenSSL versions [0.9.6d](<http://cvs.openssl.org/chngview?cn=5721>) and [0.9.7](<http://cvs.openssl.org/chngview?cn=5722>). Upgrade to OpenSSL version 0.9.6d or 0.9.7 greater. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries. \n \n--- \n \n### Vendor Information\n\n465542\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Cisco Systems Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nOur Security Advisory for this issue is posted at\n\n \n<http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability](<http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ __ Debian\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWe have addressed CAN-2004-0079 and CAN-2004-0081 in [DSA-456](<http://www.debian.org/security/2004/dsa-465>). CAN-2004-0112 does not affect our stable release.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Gentoo Linux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [GLSA 200403-03](<http://forums.gentoo.org/viewtopic.php?t=150561>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Guardian Digital Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [ESA-20040317-003](<http://www.linuxsecurity.com/advisories/engarde_advisory-4135.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ __ NetScreen\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nWe were given advance notification of this issue by NISCC and have patches available today. We have an advisory published on our website at the following URL:\n\n<http://www.netscreen.com/services/security/alerts/adv58466-signed.txt> \n \nHere are the details from the advisory: \n \nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered an infinite loop (CAN-2004-0081) which a remote attacker may be able to exploit causing the application to become unresponsive. This issue affects the NetScreen IVE platform. All other NetScreen products are immune to this issue.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ OpenSSL\n\nUpdated: March 17, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis vulnerability was [addressed](<http://cvs.openssl.org/chngview?cn=5722>) in OpenSSL 0.9.6d.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ __ Red Hat Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nRed Hat distributes various versions of OpenSSL in Red Hat Linux, Red Hat Enterprise Linux, and Stronghold distributions. Updated packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.\n\nRed Hat Linux 9: \n\n\n<http://rhn.redhat.com/errata/RHSA-2004-121.html>Red Hat Enterprise Linux: \n\n\n<http://rhn.redhat.com/errata/RHSA-2004-120.html>Stronghold 4 (Cross-platform): \n\n\n<http://rhn.redhat.com/errata/RHSA-2004-139.html>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [RHSA-2004:119,](<http://rhn.redhat.com/errata/RHSA-2004-119.html>) [RHSA-2004:120](<http://rhn.redhat.com/errata/RHSA-2004-120.html>), [RHSA-2004:121](<http://rhn.redhat.com/errata/RHSA-2004-121.html>), and [RHSA-2004:139](<http://rhn.redhat.com/errata/RHSA-2004-139.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ __ Apple Computer Inc.\n\nNotified: March 17, 2004 Updated: May 06, 2005 \n\n### Status\n\n__ Not Vulnerable\n\n### Vendor Statement\n\nMac OS X 10.2, Mac OS X Server 10.2, and later do not contain this issue as the vulnerable versions of OpenSSL were not distributed.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ 3Com\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ AT&T\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Alcatel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Apache\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Apache-SSL\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Avaya\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Borderware\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Certicom\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Check Point\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Clavister\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Computer Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Conectiva\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Covalent\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Cray Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ D-Link Systems\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Dan Bernstein\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ EMC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Extreme Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ F-Secure\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ F5 Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Foundry Networks Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ FreeBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ FreeS/WAN\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Fujitsu\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Global Technology Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Hitachi\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ IBM\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ IP Filter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Ingrian Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Intel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Internet Initiative Japan (IIJ)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Intoto\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Juniper Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ KAME Project\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Linksys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Lotus Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Lucent Technologies\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Lucent Technologies\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ MandrakeSoft\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Microsoft Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Multi-Tech Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ NEC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ National Center for Supercomputing Applications (NCSA)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ National Institute of Standards and Technology (NIST)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ NetBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Netfilter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Network Appliance\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Network Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Nokia\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Nortel Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Novell\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ OpenBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Redback Networks Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Riverstone Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SCO\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SGI\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SSH Communications Security\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SafeNet\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Secure Computing Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SecureWorx\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Sony Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Stonesoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ SuSE Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ __ Sun Microsystems Inc.\n\nNotified: March 17, 2004 Updated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nThe Solaris Operating System has been determined not to be vulnerable to these issues. Sun is currently investigating the possible impact of these vulnerabilities to other Sun products which utilize the SSL protocol. \n \nPlease refer to the link below for further details and updates: \n \n<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57524>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Sun Alert Notification [57524](<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57524&zone_32=category%3Asecurity>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Symantec Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ TurboLinux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Unisys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ WatchGuard\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Wind River Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ Wirex\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ ZyXEL\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\n### __ eSoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23465542 Feedback>).\n\nView all 83 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.openssl.org>\n * <http://www.uniras.gov.uk/vuls/2004/224012/index.htm>\n * <http://cvs.openssl.org/chngview?cn=5721>\n * <http://cvs.openssl.org/chngview?cn=5722>\n * [http://cvs.openssl.org/getfile?v=1.618.2.137&f=openssl/CHANGES](<http://cvs.openssl.org/getfile?v=1.618.2.137&f=openssl/CHANGES>)\n * [http://cvs.openssl.org/getfile?v=1.954&f=openssl/CHANGES](<http://cvs.openssl.org/getfile?v=1.954&f=openssl/CHANGES>)\n\n### Acknowledgements\n\nThis vulnerability was reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).\n\nThis document was written by Damon Morda and Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0081](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0081>) \n---|--- \n**Severity Metric:****** | 5.16 \n**Date Public:** | 2004-03-17 \n**Date First Published:** | 2004-03-17 \n**Date Last Updated: ** | 2005-05-06 17:31 UTC \n**Document Revision: ** | 27 \n", "modified": "2005-05-06T17:31:00", "published": "2004-03-17T00:00:00", "id": "VU:465542", "href": "https://www.kb.cert.org/vuls/id/465542", "type": "cert", "title": "OpenSSL does not properly handle unknown message types", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-09T19:52:38", "bulletinFamily": "info", "description": "### Overview \n\nOpenSSL contains a vulnerability in code that processes SSL/TLS handshakes when configured to use the Kerberos cipher suites. This vulnerability could allow a remote attacker to cause OpenSSL to crash.\n\n### Description \n\n[OpenSSL](<http://www.openssl.org/>) implements the Secure Sockets Layer (SSL) and Transport Layer Security ([TLS](<http://www.ietf.org/rfc/rfc2246.txt>)) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. \n\nAccording to [RFC2712](<http://www.ietf.org/rfc/rfc2712.txt>), TLS allows clients and servers to negotiate cipher suites to meet specific security and administrative policies. In order to provide Kerberos-based authentication, TLS supports the Kerberos cipher suites. \n \nVersions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL contain a vulnerability in code that processes SSL/TLS handshakes using Kerberos cipher suites. This vulnerability can be exploited by a remote attacker using a specially crafted SSL/TLS handshake to a server configured to use the Kerberos cipher suites. When the server attempts to process this request, OpenSSL could crash. OpenSSL 0.9.6 is not affected. \n \nFurther information is available in an advisory from [OpenSSL](<http://www.openssl.org/news/secadv_20040317.txt>) and [NISCC/224012/OpenSSL/2](<http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-1204.txt>). \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL with Kerberos cipher suites. \n \n--- \n \n### Solution \n\n**Upgrade or Patch** \nUpgrade to OpenSSL 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries. \n \n--- \n \n### Vendor Information\n\n484726\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Computer Inc.\n\nNotified: March 17, 2004 Updated: May 06, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nThis is fixed in Security Update 2004-04-05, and further information is available from <http://docs.info.apple.com/article.html?artnum=61798>.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ OpenSSL\n\nUpdated: March 16, 2004 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ 3Com\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Alcatel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Apache\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ At&T\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Avaya\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ BSDI\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Borderware\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ COVERT Labs\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Certicom\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Check Point\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Cisco Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Clavister\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Computer Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Conectiva\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Covalent\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Cray Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ D-Link Systems\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Dan Bernstein\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Debian\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ EMC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Engarde\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Extreme Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ F-Secure\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ F5 Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Foundry Networks Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ FreeBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ FreeS/WAN\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Fujitsu\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Global Technology Associates\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Hewlett-Packard Company\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Hitachi\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ IBM\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ IP Filter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Ingrian Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Intel\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Internet Initiative Japan (IIJ)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Internet Initiative Japan (IIJ)\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Intoto\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Juniper Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ KAME Project\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Lachman\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Linksys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Lotus Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Lucent Technologies\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ MandrakeSoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Microsoft Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ MontaVista Software\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Multi-Tech Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Multinet\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NCSA\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NEC Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NETBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NETfilter\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NIST\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ NetScreen\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Network Appliance\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Nokia\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Nortel Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Novell\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ OpenBSD\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Openwall GNU/*/Linux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Red Hat Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Redback Networks Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Riverstone Networks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SCO\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SGI\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SSH Communications Security\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SafeNet\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Secure Computing Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SecureWorks\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Sequent\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Sony Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Stonesoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ SuSE Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Sun Microsystems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Symantec Corporation\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ TurboLinux\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Unisys\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ WatchGuard\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Wind River Systems Inc.\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ Wirex\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ ZyXEL\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\n### __ eSoft\n\nUpdated: March 18, 2004 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23484726 Feedback>).\n\nView all 85 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.openssl.org/news/secadv_20040317.txt>\n * <http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-1204.txt>\n * <http://www.openssl.org>\n * <http://www.ietf.org/rfc/rfc2712.txt>\n\n### Acknowledgements\n\nThis vulnerability was discovered by the OpenSSL Project and reported by the National Infrastructure Security Co-ordination Centre (NISCC).\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0112](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0112>) \n---|--- \n**Severity Metric:****** | 10.32 \n**Date Public:** | 2004-03-17 \n**Date First Published:** | 2004-03-17 \n**Date Last Updated: ** | 2004-03-26 21:59 UTC \n**Document Revision: ** | 28 \n", "modified": "2004-03-26T21:59:00", "published": "2004-03-17T00:00:00", "id": "VU:484726", "href": "https://www.kb.cert.org/vuls/id/484726", "type": "cert", "title": "OpenSSL does not adequately validate length of Kerberos ticket during SSL/TLS handshake", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:47:14", "bulletinFamily": "unix", "description": "The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\nTransport Layer Security (TLS v1) protocols, and serves as a full-strength\ngeneral purpose cryptography library.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\nuncovered a null-pointer assignment in the do_change_cipher_spec() function\nin OpenSSL 0.9.6c-0.9.6k and 0.9.7a-0.9.7c. A remote attacker could\nperform a carefully crafted SSL/TLS handshake against a server that uses\nthe OpenSSL library in such a way as to cause OpenSSL to crash. Depending\non the application this could lead to a denial of service. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0079 to this issue.\n\nStephen Henson discovered a flaw in SSL/TLS handshaking code when using\nKerberos ciphersuites in OpenSSL 0.9.7a-0.9.7c. A remote attacker could\nperform a carefully crafted SSL/TLS handshake against a server configured\nto use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. \nMost applications have no ability to use Kerberos ciphersuites and will\ntherefore be unaffected by this issue. The Common Vulnerabilities and\nExposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to\nthis issue.\n\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\nuncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that may\nlead to a denial of service attack (infinite loop). The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0081 to this issue. This issue affects only the OpenSSL\ncompatibility packages shipped with Red Hat Enterprise Linux 3.\n\nThese updated packages contain patches provided by the OpenSSL group that\nprotect against these issues.\n\nAdditionally, the version of libica included in the OpenSSL packages has\nbeen updated to 1.3.5. This only affects IBM s390 and IBM eServer zSeries\ncustomers and is required for the latest openCryptoki packages.\n\nNOTE: Because server applications are affected by this issue, users are\nadvised to either restart all services that use OpenSSL functionality or\nrestart their systems after installing these updates.", "modified": "2017-07-29T20:28:33", "published": "2004-05-21T04:00:00", "id": "RHSA-2004:120", "href": "https://access.redhat.com/errata/RHSA-2004:120", "type": "redhat", "title": "(RHSA-2004:120) openssl security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:46:54", "bulletinFamily": "unix", "description": "The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\r\nTransport Layer Security (TLS v1) protocols, and serves as a full-strength\r\ngeneral purpose cryptography library.\r\n\r\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\r\nuncovered a null-pointer assignment in the do_change_cipher_spec()\r\nfunction. A remote attacker could perform a carefully crafted SSL/TLS\r\nhandshake against a server that uses the OpenSSL library in such a way as\r\nto cause OpenSSL to crash. Depending on the server this could lead to a\r\ndenial of service. (CVE-2004-0079)\r\n\r\nThis issue was reported as not affecting OpenSSL versions prior to 0.9.6c,\r\nand testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as\r\nshipped in Red Hat Enterprise Linux 2.1 did not crash. However, an\r\nalternative reproducer has been written which shows that this issue does\r\naffect versions of OpenSSL prior to 0.9.6c.\r\n\r\nUsers of OpenSSL are advised to upgrade to these updated packages, which \r\ncontain a patch provided by the OpenSSL group that protects against this issue.\r\n\r\nNOTE: Because server applications are affected by this issue, users are\r\nadvised to either restart all services that use OpenSSL functionality or\r\nrestart their systems after installing these updates.", "modified": "2018-03-14T19:26:07", "published": "2005-11-02T05:00:00", "id": "RHSA-2005:829", "href": "https://access.redhat.com/errata/RHSA-2005:829", "type": "redhat", "title": "(RHSA-2005:829) openssl security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:44:55", "bulletinFamily": "unix", "description": "The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\r\nTransport Layer Security (TLS v1) protocols, and serves as a full-strength\r\ngeneral purpose cryptography library. OpenSSL 0.9.6b libraries are provided\r\nfor Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy\r\napplications.\r\n\r\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\r\nuncovered a null-pointer assignment in the do_change_cipher_spec()\r\nfunction. A remote attacker could perform a carefully crafted SSL/TLS\r\nhandshake against a server that uses the OpenSSL library in such a way as\r\nto cause OpenSSL to crash. Depending on the server this could lead to a\r\ndenial of service. (CVE-2004-0079)\r\n\r\nThis issue was reported as not affecting OpenSSL versions prior to 0.9.6c,\r\nand testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as\r\nshipped as a compatibility library with Red Hat Enterprise Linux 3 and 4\r\ndid not crash. However, an alternative reproducer has been written which\r\nshows that this issue does affect versions of OpenSSL prior to 0.9.6c.\r\n\r\nNote that Red Hat does not ship any applications with Red Hat Enterprise\r\nLinux 3 or 4 that use these compatibility libraries. \r\n\r\nUsers of the OpenSSL096b compatibility package are advised to upgrade to\r\nthese updated packages, which contain a patch provided by the OpenSSL group\r\nthat protect against this issue.", "modified": "2017-09-08T12:06:50", "published": "2005-11-02T05:00:00", "id": "RHSA-2005:830", "href": "https://access.redhat.com/errata/RHSA-2005:830", "type": "redhat", "title": "(RHSA-2005:830) openssl096b security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:49", "bulletinFamily": "unix", "description": "### Background\n\nThe OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. \n\n### Description\n\n 1. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. \n 2. A flaw has been discovered in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos cipher suites and will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. \n 3. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop). This issue was traced to a fix that was added to OpenSSL 0.9.6d some time ago. This issue will affect vendors that ship older versions of OpenSSL with backported security patches. \n\n### Impact\n\nAlthough there are no public exploits known for bug, users are recommended to upgrade to ensure the security of their infrastructure. \n\n### Workaround\n\nThere is no immediate workaround; a software upgrade is required. The vulnerable function in the code has been rewritten. \n\n### Resolution\n\nAll users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m: \n \n \n # emerge sync\n # emerge -pv \">=dev-libs/openssl-0.9.7d\"\n # emerge \">=dev-libs/openssl-0.9.7d\"", "modified": "2006-05-22T00:00:00", "published": "2004-03-17T00:00:00", "id": "GLSA-200403-03", "href": "https://security.gentoo.org/glsa/200403-03", "type": "gentoo", "title": "Multiple OpenSSL Vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "f5": [{"lastseen": "2019-10-23T08:31:00", "bulletinFamily": "software", "description": "", "modified": "2018-07-03T23:20:00", "published": "2004-02-23T04:00:00", "id": "F5:K3082", "href": "https://support.f5.com/csp/article/K3082", "title": "Multiple vulnerabilities in OpenSSL - CAN-2004-0081, CAN-2004-0079, CAN-2004-0112", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisco": [{"lastseen": "2019-05-29T15:33:25", "bulletinFamily": "software", "description": "", "modified": "2004-03-17T13:00:00", "published": "2004-03-17T13:00:00", "id": "CISCO-SA-20040317-OPENSSL", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040317-openssl", "type": "cisco", "title": "Cisco OpenSSL Implementation Vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:59:55", "bulletinFamily": "unix", "description": "OpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol. The NISCC informed us about to failure conditions in openssl that can be triggered to crash applications that use the openssl library. The first bug occurs during SSL/TLS handshake in the function do_change_cipher_spec() due to a NULL pointer assignment. The second bug affects openssl version 0.9.7* only with Kerberos cipher-suite enabled and can be triggered during SSL/TLS handshake too.", "modified": "2004-03-17T13:37:40", "published": "2004-03-17T13:37:40", "id": "SUSE-SA:2004:007", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-03/msg00000.html", "title": "remote denial-of-service in openssl", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "unix", "description": "\nA remote attacker could cause an application using OpenSSL to\n\t crash by performing a specially crafted SSL/TLS handshake.\n", "modified": "2004-05-05T00:00:00", "published": "2004-03-17T00:00:00", "id": "68233CBA-7774-11D8-89ED-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/68233cba-7774-11d8-89ed-0020ed76ef5a.html", "title": "OpenSSL ChangeCipherSpec denial-of-service vulnerability", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "description": "## Vulnerability Description\nThe SSL/TLS handshaking code in OpenSSL does not properly check the length of Kerberos tickets during an SSL/TLS handshake when using Kerberos ciphersuites. This allows remote attackers to cause a denial of service by manipulating the parameters during SSL/TLS handshake, causing an out-of-bounds read and crashing OpenSSL.\n## Solution Description\nUpgrade to version 0.9.7d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nThe SSL/TLS handshaking code in OpenSSL does not properly check the length of Kerberos tickets during an SSL/TLS handshake when using Kerberos ciphersuites. This allows remote attackers to cause a denial of service by manipulating the parameters during SSL/TLS handshake, causing an out-of-bounds read and crashing OpenSSL.\n## References:\n[Vendor Specific Advisory URL](ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57524)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20041101-01-P.asc)\n[Vendor Specific Advisory URL](http://smoothwall.org/security/advisories/SWP-2004.003.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000834)\n[Vendor Specific Advisory URL](http://www.redhat.com/support/errata/RHSA-2004-121.html)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_07_openssl.html)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57571)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=302163)\nUS-CERT Cyber Security Alert: TA04-078A\n[Secunia Advisory ID:11278](https://secuniaresearch.flexerasoftware.com/advisories/11278/)\n[Secunia Advisory ID:13952](https://secuniaresearch.flexerasoftware.com/advisories/13952/)\n[Secunia Advisory ID:14088](https://secuniaresearch.flexerasoftware.com/advisories/14088/)\n[Secunia Advisory ID:16449](https://secuniaresearch.flexerasoftware.com/advisories/16449/)\n[Secunia Advisory ID:11228](https://secuniaresearch.flexerasoftware.com/advisories/11228/)\n[Secunia Advisory ID:11565](https://secuniaresearch.flexerasoftware.com/advisories/11565/)\n[Secunia Advisory ID:11175](https://secuniaresearch.flexerasoftware.com/advisories/11175/)\n[Secunia Advisory ID:11795](https://secuniaresearch.flexerasoftware.com/advisories/11795/)\n[Secunia Advisory ID:12193](https://secuniaresearch.flexerasoftware.com/advisories/12193/)\n[Related OSVDB ID: 4317](https://vulners.com/osvdb/OSVDB:4317)\n[Related OSVDB ID: 4318](https://vulners.com/osvdb/OSVDB:4318)\nOther Advisory URL: http://www.openssl.org/news/secadv_20040317.txt\nOther Advisory URL: http://www.uniras.gov.uk/vuls/2004/224012/index.htm\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7/SCOSA-2005.7.txt\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10\nOther Advisory URL: http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml\nISS X-Force ID: 15508\nGeneric Informational URL: http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html\n[CVE-2004-0112](https://vulners.com/cve/CVE-2004-0112)\nBugtraq ID: 9899\n", "modified": "2004-03-17T08:13:37", "published": "2004-03-17T08:13:37", "href": "https://vulners.com/osvdb/OSVDB:4316", "id": "OSVDB:4316", "type": "osvdb", "title": "OpenSSL Kerberos SSL/TLS Handshake DoS ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "description": "## Vulnerability Description\nOpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when a null-pointer assignment in the do_change_cipher_spec() function is accessed via a carefully crafted SSL/TLS handshake. This might cause some applications that depend on OpenSSL to crash or otherwise lead to a denial of service, and will result in loss of availability for OpenSSL or the application that is depending on it.\n## Solution Description\nUpgrade to version 0.9.6l, 0.9.7d, or higher and recompile all applications which statically link to OpenSSL, as this has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch.\n## Short Description\nOpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when a null-pointer assignment in the do_change_cipher_spec() function is accessed via a carefully crafted SSL/TLS handshake. This might cause some applications that depend on OpenSSL to crash or otherwise lead to a denial of service, and will result in loss of availability for OpenSSL or the application that is depending on it.\n## References:\n[Vendor Specific Advisory URL](http://www.tarantella.com/security/bulletin-10.html)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57524)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=61798)\n[Vendor Specific Advisory URL](http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.455961)\n[Vendor Specific Advisory URL](http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO58123&os=NT&returninput=0)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20041101-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2005-239.htm)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/advisories/engarde_advisory-4136.html)\n[Vendor Specific Advisory URL](http://smoothwall.org/security/advisories/SWP-2004.003.html)\n[Vendor Specific Advisory URL](http://www.stonesoft.com/document/art/3123.html)\n[Vendor Specific Advisory URL](http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000834)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2004/dsa-465)\n[Vendor Specific Advisory URL](http://www.redhat.com/support/errata/RHSA-2004-121.html)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2004_07_openssl.html)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/advisories/trustix_advisory-4152.html)\n[Vendor Specific Advisory URL](http://www.linuxsecurity.com/advisories/gentoo_advisory-4149.html)\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57571)\n[Vendor Specific Advisory URL](ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc)\n[Vendor Specific Advisory URL](http://support.novell.com/cgi-bin/search/searchtid.cgi?/2968981.htm)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=302163)\n[Vendor Specific Advisory URL](http://www.juniper.net/support/security/alerts/adv58466-2.txt)\nUS-CERT Cyber Security Alert: TA04-078A\n[Secunia Advisory ID:11278](https://secuniaresearch.flexerasoftware.com/advisories/11278/)\n[Secunia Advisory ID:11254](https://secuniaresearch.flexerasoftware.com/advisories/11254/)\n[Secunia Advisory ID:13952](https://secuniaresearch.flexerasoftware.com/advisories/13952/)\n[Secunia Advisory ID:14088](https://secuniaresearch.flexerasoftware.com/advisories/14088/)\n[Secunia Advisory ID:16449](https://secuniaresearch.flexerasoftware.com/advisories/16449/)\n[Secunia Advisory ID:17757](https://secuniaresearch.flexerasoftware.com/advisories/17757/)\n[Secunia Advisory ID:18247](https://secuniaresearch.flexerasoftware.com/advisories/18247/)\n[Secunia Advisory ID:11228](https://secuniaresearch.flexerasoftware.com/advisories/11228/)\n[Secunia Advisory ID:11565](https://secuniaresearch.flexerasoftware.com/advisories/11565/)\n[Secunia Advisory ID:11728](https://secuniaresearch.flexerasoftware.com/advisories/11728/)\n[Secunia Advisory ID:17381](https://secuniaresearch.flexerasoftware.com/advisories/17381/)\n[Secunia Advisory ID:17398](https://secuniaresearch.flexerasoftware.com/advisories/17398/)\n[Secunia Advisory ID:11175](https://secuniaresearch.flexerasoftware.com/advisories/11175/)\n[Secunia Advisory ID:11795](https://secuniaresearch.flexerasoftware.com/advisories/11795/)\n[Secunia Advisory ID:12193](https://secuniaresearch.flexerasoftware.com/advisories/12193/)\n[Secunia Advisory ID:12241](https://secuniaresearch.flexerasoftware.com/advisories/12241/)\n[Secunia Advisory ID:17401](https://secuniaresearch.flexerasoftware.com/advisories/17401/)\n[Related OSVDB ID: 4316](https://vulners.com/osvdb/OSVDB:4316)\n[Related OSVDB ID: 4318](https://vulners.com/osvdb/OSVDB:4318)\nRedHat RHSA: RHSA-2005:829\nRedHat RHSA: RHSA-2005:830\nOther Advisory URL: http://www.openssl.org/news/secadv_20040317.txt\nOther Advisory URL: http://www.uniras.gov.uk/vuls/2004/224012/index.htm\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7/SCOSA-2005.7.txt\nOther Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20051101-01-U.asc\nOther Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10\nOther Advisory URL: http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml\nISS X-Force ID: 15505\nGeneric Informational URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005\nGeneric Informational URL: http://news.com.com/Apple+unloads+dozens+of+fixes+for+OS+X/2100-1002_3-5834873.html\nGeneric Exploit URL: http://www.codenomicon.com/testtools/tls/\n[CVE-2004-0079](https://vulners.com/cve/CVE-2004-0079)\nBugtraq ID: 9899\n", "modified": "2004-03-17T08:13:37", "published": "2004-03-17T08:13:37", "href": "https://vulners.com/osvdb/OSVDB:4317", "id": "OSVDB:4317", "type": "osvdb", "title": "OpenSSL SSL/TLS Handshake Null Pointer DoS ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-05-29T18:33:40", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:830\n\n\nThe OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\r\nTransport Layer Security (TLS v1) protocols, and serves as a full-strength\r\ngeneral purpose cryptography library. OpenSSL 0.9.6b libraries are provided\r\nfor Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy\r\napplications.\r\n\r\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\r\nuncovered a null-pointer assignment in the do_change_cipher_spec()\r\nfunction. A remote attacker could perform a carefully crafted SSL/TLS\r\nhandshake against a server that uses the OpenSSL library in such a way as\r\nto cause OpenSSL to crash. Depending on the server this could lead to a\r\ndenial of service. (CVE-2004-0079)\r\n\r\nThis issue was reported as not affecting OpenSSL versions prior to 0.9.6c,\r\nand testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as\r\nshipped as a compatibility library with Red Hat Enterprise Linux 3 and 4\r\ndid not crash. However, an alternative reproducer has been written which\r\nshows that this issue does affect versions of OpenSSL prior to 0.9.6c.\r\n\r\nNote that Red Hat does not ship any applications with Red Hat Enterprise\r\nLinux 3 or 4 that use these compatibility libraries. \r\n\r\nUsers of the OpenSSL096b compatibility package are advised to upgrade to\r\nthese updated packages, which contain a patch provided by the OpenSSL group\r\nthat protect against this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012352.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012354.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012357.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012358.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012370.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012371.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012373.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012374.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012375.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012376.html\n\n**Affected packages:**\nopenssl096b\nwget\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2005-812.html\nhttps://rhn.redhat.com/errata/RHSA-2005-830.html", "modified": "2005-11-03T05:14:15", "published": "2005-11-02T17:10:22", "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012352.html", "id": "CESA-2005:830", "title": "openssl096b, wget security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:14", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:829-00\n\n\nThe OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),\r\nTransport Layer Security (TLS v1) protocols, and serves as a full-strength\r\ngeneral purpose cryptography library.\r\n\r\nTesting performed by the OpenSSL group using the Codenomicon TLS Test Tool\r\nuncovered a null-pointer assignment in the do_change_cipher_spec()\r\nfunction. A remote attacker could perform a carefully crafted SSL/TLS\r\nhandshake against a server that uses the OpenSSL library in such a way as\r\nto cause OpenSSL to crash. Depending on the server this could lead to a\r\ndenial of service. (CVE-2004-0079)\r\n\r\nThis issue was reported as not affecting OpenSSL versions prior to 0.9.6c,\r\nand testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as\r\nshipped in Red Hat Enterprise Linux 2.1 did not crash. However, an\r\nalternative reproducer has been written which shows that this issue does\r\naffect versions of OpenSSL prior to 0.9.6c.\r\n\r\nUsers of OpenSSL are advised to upgrade to these updated packages, which \r\ncontain a patch provided by the OpenSSL group that protects against this issue.\r\n\r\nNOTE: Because server applications are affected by this issue, users are\r\nadvised to either restart all services that use OpenSSL functionality or\r\nrestart their systems after installing these updates.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-November/012378.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-perl\nopenssl095a\nopenssl096\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "modified": "2005-11-03T05:24:10", "published": "2005-11-03T05:24:10", "href": "http://lists.centos.org/pipermail/centos-announce/2005-November/012378.html", "id": "CESA-2005:829-00", "title": "openssl, openssl095a, openssl096 security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:21:18", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 465-1 security@debian.org\nhttp://www.debian.org/security/ Matt Zimmerman\nMarch 17th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : openssl,openssl094,openssl095\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE Ids : CAN-2004-0079 CAN-2004-0081\n\nTwo vulnerabilities were discovered in openssl, an implementation of\nthe SSL protocol, using the Codenomicon TLS Test Tool. More\ninformation can be found in the following NISCC Vulnerability\nAdvisory:\n\nhttp://www.uniras.gov.uk/vuls/2004/224012/index.htm\n\nand this OpenSSL advisory:\n\nhttp://www.openssl.org/news/secadv_20040317.txt\n\n - CAN-2004-0079 - null-pointer assignment in the\n do_change_cipher_spec() function. A remote attacker could perform\n a carefully crafted SSL/TLS handshake against a server that used\n the OpenSSL library in such a way as to cause OpenSSL to crash.\n Depending on the application this could lead to a denial of\n service.\n\n - CAN-2004-0081 - a bug in older versions of OpenSSL 0.9.6 that\n can lead to a Denial of Service attack (infinite loop).\n\nFor the stable distribution (woody) these problems have been fixed in\nopenssl version 0.9.6c-2.woody.6, openssl094 version 0.9.4-6.woody.4\nand openssl095 version 0.9.5a-6.woody.5.\n\nFor the unstable distribution (sid) these problems will be fixed soon.\n\nWe recommend that you update your openssl package.\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.dsc\n Size/MD5 checksum: 632 c12536a01aca47e52d17e22310acbdd7\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.diff.gz\n Size/MD5 checksum: 44829 7478b91c110b6f1e52cf459cb44c07e1\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz\n Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc\n http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.dsc\n Size/MD5 checksum: 624 e10b520a03dc6a86acd3609ed390bf21\n http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.diff.gz\n Size/MD5 checksum: 46851 5108530e438a6c00458fb034db238392\n http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz\n Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d\n http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.dsc\n Size/MD5 checksum: 631 0548af08e7b80fe2c7e73108bf352230\n http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.diff.gz\n Size/MD5 checksum: 39190 837e26caaf8c22a566dbefdd6ffc56ea\n http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz\n Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4\n\n Architecture independent components:\n\n http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.6_all.deb\n Size/MD5 checksum: 980 be0ff309c754f9eb062bdc7d65a71819\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_alpha.deb\n Size/MD5 checksum: 1551564 72e47db6c9dcda4e5a6acf92a1ea2101\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_alpha.deb\n Size/MD5 checksum: 571350 cfd18f4a40a6cffbbaef2f14f4e94aa1\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_alpha.deb\n Size/MD5 checksum: 736410 f16961ca1e20d6f88f9bf99aa94b817b\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_alpha.deb\n Size/MD5 checksum: 497332 066bc60aaa29ae1fb0d24c7c46a7e0cd\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_arm.deb\n Size/MD5 checksum: 1358118 42ee5f1969cae9faee362fad210422da\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_arm.deb\n Size/MD5 checksum: 474164 8ca5f15c012b6eb5bad33bf27180b9e1\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_arm.deb\n Size/MD5 checksum: 729876 259449511f610538b0429ad552d627e9\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_arm.deb\n Size/MD5 checksum: 402664 6c3c6fb33553e370d966161c44371eed\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_i386.deb\n Size/MD5 checksum: 1290986 ee3f1bd5dc3de3e7dff6e945e73bf7b1\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_i386.deb\n Size/MD5 checksum: 461870 8d24ba643ce45cf495d775fa7062e53e\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_i386.deb\n Size/MD5 checksum: 723346 e258d6e5c4e79767d1b75ae29a103a6d\n http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.3_i386.deb\n Size/MD5 checksum: 358500 92eb1693ec21ca108f0d06932ce4f9db\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_i386.deb\n Size/MD5 checksum: 399952 068f0a3443cbebbd23571df0170cad84\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_ia64.deb\n Size/MD5 checksum: 1615338 e59a7278d4d972943247b83d57e1712b\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_ia64.deb\n Size/MD5 checksum: 711170 bb0b97f071f942d23d2f7f5362c34c06\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_ia64.deb\n Size/MD5 checksum: 763566 e3ebf464f440dbd86ae18c1b25ebac0f\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_hppa.deb\n Size/MD5 checksum: 1435466 2c77d74ee8c1aaf6bebf02538f307ef6\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_hppa.deb\n Size/MD5 checksum: 565020 9133258c424eadf23b659993439e4147\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_hppa.deb\n Size/MD5 checksum: 742002 a5222dc5116da8dce774643cb09925bb\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_m68k.deb\n Size/MD5 checksum: 1266746 94ce507777c7889cac278a1701bfa07d\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_m68k.deb\n Size/MD5 checksum: 450742 cdb074142fb09b42b44d581bfe39f3b6\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_m68k.deb\n Size/MD5 checksum: 720494 1c563a7eb888efbe767caf60d58d60c3\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_m68k.deb\n Size/MD5 checksum: 376910 1976f00b903cbf56c3fecd8746bcdb13\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_mips.deb\n Size/MD5 checksum: 1416298 3784e3df38ca0e7429ebc3bd3443a751\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_mips.deb\n Size/MD5 checksum: 483772 781e99d232b8cb2d8eb2ffd7872be3cd\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_mips.deb\n Size/MD5 checksum: 717852 f40b33d0bf0259121d73eb24d765c95d\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mips.deb\n Size/MD5 checksum: 412764 6b1c44e692941adab697af4f9bc548d9\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.5_mipsel.deb\n Size/MD5 checksum: 1410210 51022eaeba69faf250c2bec4384c399b\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.5_mipsel.deb\n Size/MD5 checksum: 476744 76be9bc27f5fe75f05ecf0a1b3a54f3c\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.5_mipsel.deb\n Size/MD5 checksum: 717148 047c9f61de01b84f73dc18a5b2e7c507\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mipsel.deb\n Size/MD5 checksum: 407554 98928a0620c1fef51662c4f03ef56de6\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_powerpc.deb\n Size/MD5 checksum: 1386978 6e7b16a9bb3e2e780ef76408f516e760\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_powerpc.deb\n Size/MD5 checksum: 502578 ad9b8b2222b035154fae759f1a1f6a29\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_powerpc.deb\n Size/MD5 checksum: 726792 7a1881432528a890c0ca9800fc33b6c2\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_powerpc.deb\n Size/MD5 checksum: 425652 43e11b5bc3ed981c2c68418cbafa37e2\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_s390.deb\n Size/MD5 checksum: 1326484 663c1bd6518a284d2fde11ff5d728506\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_s390.deb\n Size/MD5 checksum: 510582 61670cd45b446474caaae9fd7bac74b0\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_s390.deb\n Size/MD5 checksum: 731686 6e5f1c96f5c0d1c78ed74b6f90d15e2d\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_sparc.deb\n Size/MD5 checksum: 1344384 f383f9926645f06e8458c4f4cdf9c4b5\n http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_sparc.deb\n Size/MD5 checksum: 484864 76b6f3d6b33969295aa38b4285b4bc16\n http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_sparc.deb\n Size/MD5 checksum: 737280 9f57ba959daa989b54b214ebbb8824a4\n http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_sparc.deb\n Size/MD5 checksum: 412390 a596f5a5a4df199a088c86e96e3eae9b\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "modified": "2004-03-17T00:00:00", "published": "2004-03-17T00:00:00", "id": "DEBIAN:DSA-465-1:89280", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00062.html", "title": "[SECURITY] [DSA 465-1] New openssl packages fix multiple vulnerabilities", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "unix", "description": "[1.0.1m-2.0.1]\n- update to upstream 1.0.1m\n- update to fips canister 2.0.9\n- regenerated below patches\n openssl-1.0.1-beta2-rpmbuild.patch\n openssl-1.0.1m-rhcompat.patch\n openssl-1.0.1m-ecc-suiteb.patch\n openssl-1.0.1m-fips-mode.patch\n openssl-1.0.1m-version.patch\n openssl-1.0.1m-evp-devel.patch\n[1.0.1j-2.0.4]\n- [Orabug 20182267] The openssl-fips-devel package should Provide:\n openssl-devel and openssl-devel(x86-64) like the standard -devel\n package\n- The openssl-fips-devel package should include fips.h and fips_rand.h\n for apps that want to build against FIPS* APIs\n[1.0.1j-2.0.3]\n- [Orabug 20086847] reintroduce patch openssl-1.0.1e-ecc-suiteb.patch,\n update ec_curve.c which gets copied into build tree to match the patch\n (ie only have curves which are advertised). The change items from the\n orignal patch are as follows:\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1j-2.0.2]\n- update README.FIPS with step-by-step install instructions\n[1.0.1j-2.0.1]\n- update to upstream 1.0.1j\n- change name to openssl-fips\n- change Obsoletes: openssl to Conflicts: openssl\n- add Provides: openssl\n[1.0.1i-2.0.3.fips]\n- update to fips canister 2.0.8 to remove Dual EC DRBG\n- run gcc -v so the gcc build version is captured in the build log\n[1.0.1i-2.0.2.fips]\n- flip EVP_CIPH_* flag bits for compatibility with original RH patched pkg\n[1.0.1i-2.0.1.fips]\n- build against upstream 1.0.1i\n- build against fips validated canister 2.0.7\n- add patch to support fips=1\n- rename pkg to openssl-fips and Obsolete openssl\n[1.0.1e-16.14]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-16.7]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-16.4]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n[1.0.1e-16.3]\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1.0.1e-16.2]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n[1.0.1e-16.1]\n- add back some no-op symbols that were inadvertently dropped\n[1.0.1e-16]\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1e-15]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n[1.0.1e-14]\n- installation of dracut-fips marks that the FIPS module is installed\n[1.0.1e-13]\n- avoid dlopening libssl.so from libcrypto\n[1.0.1e-12]\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-11]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n[1.0.1e-9]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-8]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-7]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-6]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-5]\n- use _prefix macro\n[1.0.1e-4]\n- add relro linking flag\n[1.0.1e-2]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-1]\n- rebase to the 1.0.1e upstream version\n[1.0.0-28]\n- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)\n- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)\n- enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB\n environment variable is set (fixes CVE-2012-4929 #857051)\n- use __secure_getenv() everywhere instead of getenv() (#839735)\n[1.0.0-27]\n- fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)\n- drop superfluous lib64 fixup in pkgconfig .pc files (#770872)\n- force BIO_accept_new(*:\n) to listen on IPv4\n[1.0.0-26]\n- use PKCS#8 when writing private keys in FIPS mode as the old\n PEM encryption mode is not FIPS compatible (#812348)\n[1.0.0-25]\n- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)\n- properly initialize tkeylen in the CVE-2012-0884 fix\n[1.0.0-24]\n- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)\n[1.0.0-23]\n- fix problem with the SGC restart patch that might terminate handshake\n incorrectly\n- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)\n- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)\n[1.0.0-22]\n- fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes\n[1.0.0-21]\n- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery\n vulnerability and additional DTLS fixes (#771770)\n- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)\n- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)\n- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)\n[1.0.0-20]\n- fix x86cpuid.pl - patch by Paolo Bonzini\n[1.0.0-19]\n- add known answer test for SHA2 algorithms\n[1.0.0-18]\n- fix missing initialization of a variable in the CHIL engine (#740188)\n[1.0.0-17]\n- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207\n (#736087)\n[1.0.0-16]\n- merge the optimizations for AES-NI, SHA1, and RC4 from the intelx\n engine to the internal implementations\n[1.0.0-15]\n- better documentation of the available digests in apps (#693858)\n- backported CHIL engine fixes (#693863)\n- allow testing build without downstream patches (#708511)\n- enable partial RELRO when linking (#723994)\n- add intelx engine with improved performance on new Intel CPUs\n- add OPENSSL_DISABLE_AES_NI environment variable which disables\n the AES-NI support (does not affect the intelx engine)\n[1.0.0-14]\n- use the AES-NI engine in the FIPS mode\n[1.0.0-11]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0-10]\n- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)\n- correct the README.FIPS document\n[1.0.0-8]\n- add -x931 parameter to openssl genrsa command to use the ANSI X9.31\n key generation method\n- use FIPS-186-3 method for DSA parameter generation\n- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable\n to allow using MD5 when the system is in the maintenance state\n even if the /proc fips flag is on\n- make openssl pkcs12 command work by default in the FIPS mode\n[1.0.0-7]\n- listen on ipv6 wildcard in s_server so we accept connections\n from both ipv4 and ipv6 (#601612)\n- fix openssl speed command so it can be used in the FIPS mode\n with FIPS allowed ciphers (#619762)\n[1.0.0-6]\n- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864\n (#649304)\n[1.0.0-5]\n- fix race in extension parsing code - CVE-2010-3864 (#649304)\n[1.0.0-4]\n- openssl man page fix (#609484)\n[1.0.0-3]\n- fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)\n- fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)\n[1.0.0-2]\n- make CA dir readable - the private keys are in private subdir (#584810)\n- a few fixes from upstream CVS\n- make X509_NAME_hash_old work in FIPS mode (#568395)\n[1.0.0-1]\n- update to final 1.0.0 upstream release\n[1.0.0-0.22.beta5]\n- make TLS work in the FIPS mode\n[1.0.0-0.21.beta5]\n- gracefully handle zero length in assembler implementations of\n OPENSSL_cleanse (#564029)\n- do not fail in s_server if client hostname not resolvable (#561260)\n[1.0.0-0.20.beta5]\n- new upstream release\n[1.0.0-0.19.beta4]\n- fix CVE-2009-4355 - leak in applications incorrectly calling\n CRYPTO_free_all_ex_data() before application exit (#546707)\n- upstream fix for future TLS protocol version handling\n[1.0.0-0.18.beta4]\n- add support for Intel AES-NI\n[1.0.0-0.17.beta4]\n- upstream fix compression handling on session resumption\n- various null checks and other small fixes from upstream\n- upstream changes for the renegotiation info according to the latest draft\n[1.0.0-0.16.beta4]\n- fix non-fips mingw build (patch by Kalev Lember)\n- add IPV6 fix for DTLS\n[1.0.0-0.15.beta4]\n- add better error reporting for the unsafe renegotiation\n[1.0.0-0.14.beta4]\n- fix build on s390x\n[1.0.0-0.13.beta4]\n- disable enforcement of the renegotiation extension on the client (#537962)\n- add fixes from the current upstream snapshot\n[1.0.0-0.12.beta4]\n- keep the beta status in version number at 3 so we do not have to rebuild\n openssh and possibly other dependencies with too strict version check\n[1.0.0-0.11.beta4]\n- update to new upstream version, no soname bump needed\n- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used\n so the compatibility with unfixed clients is not broken. The\n protocol extension is also not final.\n[1.0.0-0.10.beta3]\n- fix use of freed memory if SSL_CTX_free() is called before\n SSL_free() (#521342)\n[1.0.0-0.9.beta3]\n- fix typo in DTLS1 code (#527015)\n- fix leak in error handling of d2i_SSL_SESSION()\n[1.0.0-0.8.beta3]\n- fix RSA and DSA FIPS selftests\n- reenable fixed x86_64 camellia assembler code (#521127)\n[1.0.0-0.7.beta3]\n- temporarily disable x86_64 camellia assembler code (#521127)\n[1.0.0-0.6.beta3]\n- fix openssl dgst -dss1 (#520152)\n[1.0.0-0.5.beta3]\n- drop the compat symlink hacks\n[1.0.0-0.4.beta3]\n- constify SSL_CIPHER_description()\n[1.0.0-0.3.beta3]\n- fix WWW:Curl:Easy reference in tsget\n[1.0.0-0.2.beta3]\n- enable MD-2\n[1.0.0-0.1.beta3]\n- update to new major upstream release\n[0.9.8k-7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild\n* Wed Jul 22 2009 Bill Nottingham \n- do not build special 'optimized' versions for i686, as that's the base\n arch in Fedora now\n[0.9.8k-6]\n- abort if selftests failed and random number generator is polled\n- mention EVP_aes and EVP_sha2xx routines in the manpages\n- add README.FIPS\n- make CA dir absolute path (#445344)\n- change default length for RSA key generation to 2048 (#484101)\n[0.9.8k-5]\n- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379\n (DTLS DoS problems) (#501253, #501254, #501572)\n[0.9.8k-4]\n- support compatibility DTLS mode for CISCO AnyConnect (#464629)\n[0.9.8k-3]\n- correct the SHLIB_VERSION define\n[0.9.8k-2]\n- add support for multiple CRLs with same subject\n- load only dynamic engine support in FIPS mode\n[0.9.8k-1]\n- update to new upstream release (minor bug fixes, security\n fixes and machine code optimizations only)\n[0.9.8j-10]\n- move libraries to /usr/lib (#239375)\n[0.9.8j-9]\n- add a static subpackage\n[0.9.8j-8]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n[0.9.8j-7]\n- must also verify checksum of libssl.so in the FIPS mode\n- obtain the seed for FIPS rng directly from the kernel device\n- drop the temporary symlinks\n[0.9.8j-6]\n- drop the temporary triggerpostun and symlinking in post\n- fix the pkgconfig files and drop the unnecessary buildrequires\n on pkgconfig as it is a rpmbuild dependency (#481419)\n[0.9.8j-5]\n- add temporary triggerpostun to reinstate the symlinks\n[0.9.8j-4]\n- no pairwise key tests in non-fips mode (#479817)\n[0.9.8j-3]\n- even more robust test for the temporary symlinks\n[0.9.8j-2]\n- try to ensure the temporary symlinks exist\n[0.9.8j-1]\n- new upstream version with necessary soname bump (#455753)\n- temporarily provide symlink to old soname to make it possible to rebuild\n the dependent packages in rawhide\n- add eap-fast support (#428181)\n- add possibility to disable zlib by setting\n- add fips mode support for testing purposes\n- do not null dereference on some invalid smime files\n- add buildrequires pkgconfig (#479493)\n[0.9.8g-11]\n- do not add tls extensions to server hello for SSLv3 either\n[0.9.8g-10]\n- move root CA bundle to ca-certificates package\n[0.9.8g-9]\n- fix CVE-2008-0891 - server name extension crash (#448492)\n- fix CVE-2008-1672 - server key exchange message omit crash (#448495)\n[0.9.8g-8]\n- super-H arch support\n- drop workaround for bug 199604 as it should be fixed in gcc-4.3\n[0.9.8g-7]\n- sparc handling\n[0.9.8g-6]\n- update to new root CA bundle from mozilla.org (r1.45)\n[0.9.8g-5]\n- Autorebuild for GCC 4.3\n[0.9.8g-4]\n- merge review fixes (#226220)\n- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)\n[0.9.8g-3]\n- set default paths when no explicit paths are set (#418771)\n- do not add tls extensions to client hello for SSLv3 (#422081)\n[0.9.8g-2]\n- enable some new crypto algorithms and features\n- add some more important bug fixes from openssl CVS\n[0.9.8g-1]\n- update to latest upstream release, SONAME bumped to 7\n[0.9.8b-17]\n- update to new CA bundle from mozilla.org\n[0.9.8b-16]\n- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)\n- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)\n- add alpha sub-archs (#296031)\n[0.9.8b-15]\n- rebuild\n[0.9.8b-14]\n- use localhost in testsuite, hopefully fixes slow build in koji\n- CVE-2007-3108 - fix side channel attack on private keys (#250577)\n- make ssl session cache id matching strict (#233599)\n[0.9.8b-13]\n- allow building on ARM architectures (#245417)\n- use reference timestamps to prevent multilib conflicts (#218064)\n- -devel package must require pkgconfig (#241031)\n[0.9.8b-12]\n- detect duplicates in add_dir properly (#206346)\n[0.9.8b-11]\n- the previous change still didn't make X509_NAME_cmp transitive\n[0.9.8b-10]\n- make X509_NAME_cmp transitive otherwise certificate lookup\n is broken (#216050)\n[0.9.8b-9]\n- aliasing bug in engine loading, patch by IBM (#213216)\n[0.9.8b-8]\n- CVE-2006-2940 fix was incorrect (#208744)\n[0.9.8b-7]\n- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)\n- fix CVE-2006-2940 - parasitic public keys DoS (#207274)\n- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)\n- fix CVE-2006-4343 - sslv2 client DoS (#206940)\n[0.9.8b-6]\n- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)\n[0.9.8b-5]\n- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)\n patch by IBM\n[0.9.8b-4.1]\n- rebuild with new binutils (#200330)\n[0.9.8b-4]\n- add a temporary workaround for sha512 test failure on s390 (#199604)\n* Thu Jul 20 2006 Tomas Mraz \n- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)\n- add patches for BN threadsafety, AES cache collision attack hazard fix and\n pkcs7 code memleak fix from upstream CVS\n[0.9.8b-3.1]\n- rebuild\n[0.9.8b-3]\n- dropped libica and ica engine from build\n* Wed Jun 21 2006 Joe Orton \n- update to new CA bundle from mozilla.org; adds CA certificates\n from netlock.hu and startcom.org\n[0.9.8b-2]\n- fixed a few rpmlint warnings\n- better fix for #173399 from upstream\n- upstream fix for pkcs12\n[0.9.8b-1]\n- upgrade to new version, stays ABI compatible\n- there is no more linux/config.h (it was empty anyway)\n[0.9.8a-6]\n- fix stale open handles in libica (#177155)\n- fix build if 'rand' or 'passwd' in buildroot path (#178782)\n- initialize VIA Padlock engine (#186857)\n[0.9.8a-5.2]\n- bump again for double-long bug on ppc(64)\n[0.9.8a-5.1]\n- rebuilt for new gcc4.1 snapshot and glibc changes\n[0.9.8a-5]\n- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n in SSL_OP_ALL (#175779)\n* Fri Dec 09 2005 Jesse Keating \n- rebuilt\n[0.9.8a-4]\n- fix build (-lcrypto was erroneusly dropped) of the updated libica\n- updated ICA engine to 1.3.6-rc3\n[0.9.8a-3]\n- disable builtin compression methods for now until they work\n properly (#173399)\n[0.9.8a-2]\n- don't set -rpath for openssl binary\n[0.9.8a-1]\n- new upstream version\n- patches partially renumbered\n[0.9.7f-11]\n- updated IBM ICA engine library and patch to latest upstream version\n[0.9.7f-10]\n- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which\n disables the countermeasure against man in the middle attack in SSLv2\n (#169863)\n- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)\n[0.9.7f-9]\n- add *.so.soversion as symlinks in /lib (#165264)\n- remove unpackaged symlinks (#159595)\n- fixes from upstream (constant time fixes for DSA,\n bn assembler div on ppc arch, initialize memory on realloc)\n[0.9.7f-8]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7f-7]\n- fix CAN-2005-0109 - use constant time/memory access mod_exp\n so bits of private key aren't leaked by cache eviction (#157631)\n- a few more fixes from upstream 0.9.7g\n[0.9.7f-6]\n- use poll instead of select in rand (#128285)\n- fix Makefile.certificate to point to /etc/pki/tls\n- change the default string mask in ASN1 to PrintableString+UTF8String\n[0.9.7f-5]\n- update to revision 1.37 of Mozilla CA bundle\n[0.9.7f-4]\n- move certificates to _sysconfdir/pki/tls (#143392)\n- move CA directories to _sysconfdir/pki/CA\n- patch the CA script and the default config so it points to the\n CA directories\n[0.9.7f-3]\n- uninitialized variable mustn't be used as input in inline\n assembly\n- reenable the x86_64 assembly again\n[0.9.7f-2]\n- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken\n- disable broken bignum assembly on x86_64\n[0.9.7f-1]\n- reenable optimizations on ppc64 and assembly code on ia64\n- upgrade to new upstream version (no soname bump needed)\n- disable thread test - it was testing the backport of the\n RSA blinding - no longer needed\n- added support for changing serial number to\n Makefile.certificate (#151188)\n- make ca-bundle.crt a config file (#118903)\n[0.9.7e-3]\n- libcrypto shouldn't depend on libkrb5 (#135961)\n[0.9.7e-2]\n- rebuild\n[0.9.7e-1]\n- new upstream source, updated patches\n- added patch so we are hopefully ABI compatible with upcoming\n 0.9.7f\n* Thu Feb 10 2005 Tomas Mraz \n- Support UTF-8 charset in the Makefile.certificate (#134944)\n- Added cmp to BuildPrereq\n[0.9.7a-46]\n- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)\n[0.9.7a-45]\n- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)\n[0.9.7a-44]\n- rebuild\n[0.9.7a-43]\n- rebuild\n[0.9.7a-42]\n- rebuild\n[0.9.7a-41]\n- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)\n[0.9.7a-40]\n- Include latest libica version with important bugfixes\n* Tue Jun 15 2004 Elliot Lee \n- rebuilt\n[0.9.7a-38]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7a-37]\n- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)\n[0.9.7a-36]\n- handle %{_arch}=i486/i586/i686/athlon cases in the intermediate\n header (#124303)\n[0.9.7a-35]\n- add security fixes for CAN-2004-0079, CAN-2004-0112\n* Tue Mar 16 2004 Phil Knirsch \n- Fixed libica filespec.\n[0.9.7a-34]\n- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix\n the intermediate header\n[0.9.7a-33]\n- add an intermediate \n which points to the right\n arch-specific opensslconf.h on multilib arches\n* Tue Mar 02 2004 Elliot Lee \n- rebuilt\n[0.9.7a-32]\n- Updated libica to latest upstream version 1.3.5.\n[0.9.7a-31]\n- Update ICA crypto engine patch from IBM to latest version.\n* Fri Feb 13 2004 Elliot Lee \n- rebuilt\n[0.9.7a-29]\n- rebuilt\n[0.9.7a-28]\n- Fixed libica build.\n* Wed Feb 04 2004 Nalin Dahyabhai \n- add '-ldl' to link flags added for Linux-on-ARM (#99313)\n[0.9.7a-27]\n- updated ca-bundle.crt: removed expired GeoTrust roots, added\n freessl.com root, removed trustcenter.de Class 0 root\n[0.9.7a-26]\n- Fix link line for libssl (bug #111154).\n[0.9.7a-25]\n- add dependency on zlib-devel for the -devel package, which depends on zlib\n symbols because we enable zlib for libssl (#102962)\n[0.9.7a-24]\n- Use /dev/urandom instead of PRNG for libica.\n- Apply libica-1.3.5 fix for /dev/urandom in icalinux.c\n- Use latest ICA engine patch from IBM.\n[0.9.7a-22.1]\n- rebuild\n[0.9.7a-22]\n- rebuild (22 wasn't actually built, fun eh?)\n[0.9.7a-23]\n- re-disable optimizations on ppc64\n* Tue Sep 30 2003 Joe Orton \n- add a_mbstr.c fix for 64-bit platforms from CVS\n[0.9.7a-22]\n- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged\n as not needing executable stacks\n[0.9.7a-21]\n- rebuild\n* Thu Sep 25 2003 Nalin Dahyabhai \n- re-enable optimizations on ppc64\n* Thu Sep 25 2003 Nalin Dahyabhai \n- remove exclusivearch\n[0.9.7a-20]\n- only parse a client cert if one was requested\n- temporarily exclusivearch for %{ix86}\n* Tue Sep 23 2003 Nalin Dahyabhai \n- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)\n and heap corruption (CAN-2003-0545)\n- update RHNS-CA-CERT files\n- ease back on the number of threads used in the threading test\n[0.9.7a-19]\n- rebuild to fix gzipped file md5sums (#91211)\n[0.9.7a-18]\n- Updated libica to version 1.3.4.\n[0.9.7a-17]\n- rebuild\n[0.9.7a-10.9]\n- free the kssl_ctx structure when we free an SSL structure (#99066)\n[0.9.7a-16]\n- rebuild\n[0.9.7a-15]\n- lower thread test count on s390x\n[0.9.7a-14]\n- rebuild\n[0.9.7a-13]\n- disable assembly on arches where it seems to conflict with threading\n[0.9.7a-12]\n- Updated libica to latest upstream version 1.3.0\n[0.9.7a-9.9]\n- rebuild\n[0.9.7a-11]\n- rebuild\n[0.9.7a-10]\n- ubsec: don't stomp on output data which might also be input data\n[0.9.7a-9]\n- temporarily disable optimizations on ppc64\n* Mon Jun 09 2003 Nalin Dahyabhai \n- backport fix for engine-used-for-everything from 0.9.7b\n- backport fix for prng not being seeded causing problems, also from 0.9.7b\n- add a check at build-time to ensure that RSA is thread-safe\n- keep perlpath from stomping on the libica configure scripts\n* Fri Jun 06 2003 Nalin Dahyabhai \n- thread-safety fix for RSA blinding\n[0.9.7a-8]\n- rebuilt\n[0.9.7a-7]\n- Added libica-1.2 to openssl (featurerequest).\n[0.9.7a-6]\n- fix building with incorrect flags on ppc64\n[0.9.7a-5]\n- add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's\n attack (CAN-2003-0131)\n[ 0.9.7a-4]\n- add patch to enable RSA blinding by default, closing a timing attack\n (CAN-2003-0147)\n[0.9.7a-3]\n- disable use of BN assembly module on x86_64, but continue to allow inline\n assembly (#83403)\n[0.9.7a-2]\n- disable EC algorithms\n[0.9.7a-1]\n- update to 0.9.7a\n[0.9.7-8]\n- add fix to guard against attempts to allocate negative amounts of memory\n- add patch for CAN-2003-0078, fixing a timing attack\n[0.9.7-7]\n- Add openssl-ppc64.patch\n[0.9.7-6]\n- EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),\n to get the right behavior when passed uninitialized context structures\n (#83766)\n- build with -mcpu=ev5 on alpha family (#83828)\n* Wed Jan 22 2003 Tim Powers \n- rebuilt\n[0.9.7-4]\n- Added IBM hw crypto support patch.\n* Wed Jan 15 2003 Nalin Dahyabhai \n- add missing builddep on sed\n[0.9.7-3]\n- debloat\n- fix broken manpage symlinks\n[0.9.7-2]\n- fix double-free in 'openssl ca'\n[0.9.7-1]\n- update to 0.9.7 final\n[0.9.7-0]\n- update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n* Wed Dec 11 2002 Nalin Dahyabhai \n- update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n[0.9.6b-30]\n- add configuration stanza for x86_64 and use it on x86_64\n- build for linux-ppc on ppc\n- start running the self-tests again\n[0.9.6b-29hammer.3]\n- Merge fixes from previous hammer packages, including general x86-64 and\n multilib\n[0.9.6b-29]\n- rebuild\n[0.9.6b-28]\n- update asn patch to fix accidental reversal of a logic check\n[0.9.6b-27]\n- update asn patch to reduce chance that compiler optimization will remove\n one of the added tests\n[0.9.6b-26]\n- rebuild\n[0.9.6b-25]\n- add patch to fix ASN.1 vulnerabilities\n[0.9.6b-24]\n- add backport of Ben Laurie's patches for OpenSSL 0.9.6d\n[0.9.6b-23]\n- own {_datadir}/ssl/misc\n* Fri Jun 21 2002 Tim Powers \n- automated rebuild\n* Sun May 26 2002 Tim Powers \n- automated rebuild\n[0.9.6b-20]\n- free ride through the build system (whee!)\n[0.9.6b-19]\n- rebuild in new environment\n[0.9.6b-17, 0.9.6b-18]\n- merge RHL-specific bits into stronghold package, rename\n[stronghold-0.9.6c-2]\n- add support for Chrysalis Luna token\n* Tue Mar 26 2002 Gary Benson \n- disable AEP random number generation, other AEP fixes\n[0.9.6b-15]\n- only build subpackages on primary arches\n[0.9.6b-13]\n- on ia32, only disable use of assembler on i386\n- enable assembly on ia64\n[0.9.6b-11]\n- fix sparcv9 entry\n[stronghold-0.9.6c-1]\n- upgrade to 0.9.6c\n- bump BuildArch to i686 and enable assembler on all platforms\n- synchronise with shrimpy and rawhide\n- bump soversion to 3\n* Wed Oct 10 2001 Florian La Roche \n- delete BN_LLONG for s390x, patch from Oliver Paukstadt\n[0.9.6b-9]\n- update AEP driver patch\n* Mon Sep 10 2001 Nalin Dahyabhai \n- adjust RNG disabling patch to match version of patch from Broadcom\n[0.9.6b-8]\n- disable the RNG in the ubsec engine driver\n[0.9.6b-7]\n- tweaks to the ubsec engine driver\n[0.9.6b-6]\n- tweaks to the ubsec engine driver\n[0.9.6b-5]\n- update ubsec engine driver from Broadcom\n[0.9.6b-4]\n- move man pages back to %{_mandir}/man?/foo.?ssl from\n %{_mandir}/man?ssl/foo.?\n- add an [ engine ] section to the default configuration file\n* Thu Aug 09 2001 Nalin Dahyabhai \n- add a patch for selecting a default engine in SSL_library_init()\n[0.9.6b-3]\n- add patches for AEP hardware support\n- add patch to keep trying when we fail to load a cert from a file and\n there are more in the file\n- add missing prototype for ENGINE_ubsec() in engine_int.h\n[0.9.6b-2]\n- actually add hw_ubsec to the engine list\n* Tue Jul 17 2001 Nalin Dahyabhai \n- add in the hw_ubsec driver from CVS\n[0.9.6b-1]\n- update to 0.9.6b\n* Thu Jul 05 2001 Nalin Dahyabhai \n- move .so symlinks back to %{_libdir}\n* Tue Jul 03 2001 Nalin Dahyabhai \n- move shared libraries to /lib (#38410)\n* Mon Jun 25 2001 Nalin Dahyabhai \n- switch to engine code base\n* Mon Jun 18 2001 Nalin Dahyabhai \n- add a script for creating dummy certificates\n- move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?\n* Thu Jun 07 2001 Florian La Roche \n- add s390x support\n* Fri Jun 01 2001 Nalin Dahyabhai \n- change two memcpy() calls to memmove()\n- don't define L_ENDIAN on alpha\n[stronghold-0.9.6a-1]\n- Add 'stronghold-' prefix to package names.\n- Obsolete standard openssl packages.\n* Wed May 16 2001 Joe Orton \n- Add BuildArch: i586 as per Nalin's advice.\n* Tue May 15 2001 Joe Orton \n- Enable assembler on ix86 (using new .tar.bz2 which does\n include the asm directories).\n* Tue May 15 2001 Nalin Dahyabhai \n- make subpackages depend on the main package\n* Tue May 01 2001 Nalin Dahyabhai \n- adjust the hobble script to not disturb symlinks in include/ (fix from\n Joe Orton)\n* Fri Apr 27 2001 Nalin Dahyabhai \n- drop the m2crypo patch we weren't using\n* Tue Apr 24 2001 Nalin Dahyabhai \n- configure using 'shared' as well\n* Sun Apr 08 2001 Nalin Dahyabhai \n- update to 0.9.6a\n- use the build-shared target to build shared libraries\n- bump the soversion to 2 because we're no longer compatible with\n our 0.9.5a packages or our 0.9.6 packages\n- drop the patch for making rsatest a no-op when rsa null support is used\n- put all man pages into \nssl instead of \n- break the m2crypto modules into a separate package\n* Tue Mar 13 2001 Nalin Dahyabhai \n- use BN_LLONG on s390\n* Mon Mar 12 2001 Nalin Dahyabhai \n- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)\n* Sat Mar 03 2001 Nalin Dahyabhai \n- move c_rehash to the perl subpackage, because it's a perl script now\n* Fri Mar 02 2001 Nalin Dahyabhai \n- update to 0.9.6\n- enable MD2\n- use the libcrypto.so and libssl.so targets to build shared libs with\n- bump the soversion to 1 because we're no longer compatible with any of\n the various 0.9.5a packages circulating around, which provide lib*.so.0\n* Wed Feb 28 2001 Florian La Roche \n- change hobble-openssl for disabling MD2 again\n* Tue Feb 27 2001 Nalin Dahyabhai \n- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152\n bytes or so, causing EVP_DigestInit() to zero out stack variables in\n apps built against a version of the library without it\n* Mon Feb 26 2001 Nalin Dahyabhai \n- disable some inline assembly, which on x86 is Pentium-specific\n- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)\n* Thu Feb 08 2001 Florian La Roche \n- fix s390 patch\n* Fri Dec 08 2000 Than Ngo \n- added support s390\n* Mon Nov 20 2000 Nalin Dahyabhai \n- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)\n- add the CA.pl man page to the perl subpackage\n* Thu Nov 02 2000 Nalin Dahyabhai \n- always build with -mcpu=ev5 on alpha\n* Tue Oct 31 2000 Nalin Dahyabhai \n- add a symlink from cert.pem to ca-bundle.crt\n* Wed Oct 25 2000 Nalin Dahyabhai \n- add a ca-bundle file for packages like Samba to reference for CA certificates\n* Tue Oct 24 2000 Nalin Dahyabhai \n- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)\n* Mon Oct 02 2000 Nalin Dahyabhai \n- add unzip as a buildprereq (#17662)\n- update m2crypto to 0.05-snap4\n* Tue Sep 26 2000 Bill Nottingham \n- fix some issues in building when it's not installed\n* Wed Sep 06 2000 Nalin Dahyabhai \n- make sure the headers we include are the ones we built with (aaaaarrgh!)\n* Fri Sep 01 2000 Nalin Dahyabhai \n- add Richard Henderson's patch for BN on ia64\n- clean up the changelog\n* Tue Aug 29 2000 Nalin Dahyabhai \n- fix the building of python modules without openssl-devel already installed\n* Wed Aug 23 2000 Nalin Dahyabhai \n- byte-compile python extensions without the build-root\n- adjust the makefile to not remove temporary files (like .key files when\n building .csr files) by marking them as .PRECIOUS\n* Sat Aug 19 2000 Nalin Dahyabhai \n- break out python extensions into a subpackage\n* Mon Jul 17 2000 Nalin Dahyabhai \n- tweak the makefile some more\n* Tue Jul 11 2000 Nalin Dahyabhai \n- disable MD2 support\n* Thu Jul 06 2000 Nalin Dahyabhai \n- disable MDC2 support\n* Sun Jul 02 2000 Nalin Dahyabhai \n- tweak the disabling of RC5, IDEA support\n- tweak the makefile\n* Thu Jun 29 2000 Nalin Dahyabhai \n- strip binaries and libraries\n- rework certificate makefile to have the right parts for Apache\n* Wed Jun 28 2000 Nalin Dahyabhai \n- use %{_perl} instead of /usr/bin/perl\n- disable alpha until it passes its own test suite\n* Fri Jun 09 2000 Nalin Dahyabhai \n- move the passwd.1 man page out of the passwd package's way\n* Fri Jun 02 2000 Nalin Dahyabhai \n- update to 0.9.5a, modified for U.S.\n- add perl as a build-time requirement\n- move certificate makefile to another package\n- disable RC5, IDEA, RSA support\n- remove optimizations for now\n* Wed Mar 01 2000 Florian La Roche \n- Bero told me to move the Makefile into this package\n* Wed Mar 01 2000 Florian La Roche \n- add lib*.so symlinks to link dynamically against shared libs\n* Tue Feb 29 2000 Florian La Roche \n- update to 0.9.5\n- run ldconfig directly in post/postun\n- add FAQ\n* Sat Dec 18 1999 Bernhard Rosenkrdnzer \n- Fix build on non-x86 platforms\n* Fri Nov 12 1999 Bernhard Rosenkrdnzer \n- move /usr/share/ssl/* from -devel to main package\n* Tue Oct 26 1999 Bernhard Rosenkrdnzer \n- inital packaging\n- changes from base:\n - Move /usr/local/ssl to /usr/share/ssl for FHS compliance\n - handle RPM_OPT_FLAGS\nopenssl-1.0.1-beta2-rpmbuild.patch\nopenssl-0.9.8a-no-rpath.patch", "modified": "2015-04-02T00:00:00", "published": "2015-04-02T00:00:00", "id": "ELSA-2015-3022", "href": "http://linux.oracle.com/errata/ELSA-2015-3022.html", "title": "openssl-fips security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:03", "bulletinFamily": "unix", "description": "[1.0.2k-16.0.1.el7_6.1]\n- Bump release for rebuild.\n[1.0.2k-16.1]\n- use SHA-256 in FIPS RSA pairwise key check\n- fix CVE-2018-5407 - EC signature local timing side-channel key extraction\n[1.0.2k-16]\n- fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA\n- fix incorrect error message on FIPS DSA parameter generation (#1603597)\n[1.0.2k-14]\n- ppc64le is not multilib architecture (#1585004)\n[1.0.2k-13]\n- add S390x assembler updates\n- make CA name list comparison function case sensitive (#1548401)\n- fix CVE-2017-3735 - possible one byte overread with X.509 IPAdressFamily\n- fix CVE-2018-0732 - large prime DH DoS of TLS client\n- fix CVE-2018-0737 - RSA key generation cache timing vulnerability\n- fix CVE-2018-0739 - stack overflow parsing recursive ASN.1 structure\n[1.0.2k-12]\n- fix CVE-2017-3737 - incorrect handling of fatal error state\n- fix CVE-2017-3738 - AVX2 Montgomery multiplication bug with 1024 bit modulus\n[1.0.2k-11]\n- fix deadlock in RNG in the FIPS mode in mariadb\n[1.0.2k-9]\n- fix CVE-2017-3736 - carry propagation bug in Montgomery multiplication\n[1.0.2k-8]\n- fix regression in openssl req -x509 command (#1450015)\n[1.0.2k-7]\n- handle incorrect size gracefully in aes_p8_cbc_encrypt()\n[1.0.2k-6]\n- allow long client hellos to be received by server\n[1.0.2k-5]\n- fix CPU features detection on new AMD processors\n[1.0.2k-4]\n- add support for additional STARTTLS protocols to s_client\n original backported patch by Robert Scheck (#1396209)\n[1.0.2k-3]\n- properly document the SSLv2 support removal\n[1.0.2k-2]\n- add PPC assembler updates\n[1.0.2k-1]\n- minor upstream release 1.0.2k fixing security issues\n[1.0.2j-2]\n- deprecate and disable verification of insecure hash algorithms\n- add support for /etc/pki/tls/legacy-settings also for minimum DH length\n accepted by SSL client\n- compare the encrypt and tweak key in XTS as required by FIPS\n[1.0.2j-1]\n- rebase to latest upstream release from the 1.0.2 branch, ABI compatible\n[1.0.1e-60]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n[1.0.1e-58]\n- replace expired testing certificates\n[1.0.1e-57]\n- fix CVE-2016-2105 - possible overflow in base64 encoding\n- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()\n- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC\n- fix CVE-2016-2108 - memory corruption in ASN.1 encoder\n- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO\n[1.0.1e-56]\n- fix 1-byte memory leak in pkcs12 parse (#1312112)\n- document some options of the speed command (#1312110)\n- fix high-precision timestamps in timestamping authority\n- enable SCTP support in DTLS\n- use correct digest when exporting keying material in TLS1.2 (#1289620)\n- fix CVE-2016-0799 - memory issues in BIO_printf\n- add support for setting Kerberos service and keytab in\n s_server and s_client\n[1.0.1e-55]\n- fix CVE-2016-0702 - side channel attack on modular exponentiation\n- fix CVE-2016-0705 - double-free in DSA private key parsing\n- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn\n[1.0.1e-54]\n- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement\n- disable SSLv2 in the generic TLS method\n[1.0.1e-53]\n- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2\n[1.0.1e-52]\n- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter\n- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak\n- fix CVE-2015-3196 - race condition when handling PSK identity hint\n[1.0.1e-51]\n- fix the CVE-2015-1791 fix (broken server side renegotiation)\n[1.0.1e-50]\n- improved fix for CVE-2015-1791\n- add missing parts of CVE-2015-0209 fix for corectness although unexploitable\n[1.0.1e-49]\n- fix CVE-2014-8176 - invalid free in DTLS buffering code\n- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time\n- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent\n- fix CVE-2015-1791 - race condition handling NewSessionTicket\n- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function\n[1.0.1e-48]\n- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on\n read in multithreaded applications\n[1.0.1e-47]\n- fix CVE-2015-4000 - prevent the logjam attack on client - restrict\n the DH key size to at least 768 bits (limit will be increased in future)\n[1.0.1e-46]\n- drop the AES-GCM restriction of 2^32 operations because the IV is\n always 96 bits (32 bit fixed field + 64 bit invocation field)\n[1.0.1e-45]\n- update fix for CVE-2015-0287 to what was released upstream\n[1.0.1e-44]\n- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()\n- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server\n[1.0.1e-43]\n- fix broken error detection when unwrapping unpadded key\n[1.0.1e-42.1]\n- fix the RFC 5649 for key material that does not need padding\n[1.0.1e-42]\n- test in the non-FIPS RSA keygen for minimal distance of p and q\n similarly to the FIPS RSA keygen\n[1.0.1e-41]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\n[1.0.1e-40]\n- use FIPS approved method for computation of d in RSA\n- copy digest algorithm when handling SNI context switch\n[1.0.1e-39]\n- fix CVE-2014-3567 - memory leak when handling session tickets\n- fix CVE-2014-3513 - memory leak in srtp support\n- add support for fallback SCSV to partially mitigate CVE-2014-3566\n (padding attack on SSL3)\n[1.0.1e-38]\n- do FIPS algorithm selftest before the integrity check\n[1.0.1e-37]\n- add support for RFC 5649 (#1119738)\n- do not pass the FIPS integrity check if the .hmac files are empty (#1128849)\n- add ECC TLS extensions to DTLS (#1119803)\n- do not send ECC ciphersuites in SSLv2 client hello (#1090955)\n- properly propagate encryption failure in BIO_f_cipher (#1072439)\n- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support\n- improve documentation of ciphersuites - patch by Hubert Kario (#1108026)\n- use case insensitive comparison for servername in s_server (#1081163)\n- add support for automatic ECDH curve selection on server (#1080128)\n- FIPS mode: make the limitations on DSA, DH, and RSA keygen\n length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment\n variable is set\n[1.0.1e-36]\n- add support for ppc64le architecture\n- add Power 8 optimalizations\n[1.0.1e-35]\n- fix CVE-2014-3505 - doublefree in DTLS packet processing\n- fix CVE-2014-3506 - avoid memory exhaustion in DTLS\n- fix CVE-2014-3507 - avoid memory leak in DTLS\n- fix CVE-2014-3508 - fix OID handling to avoid information leak\n- fix CVE-2014-3509 - fix race condition when parsing server hello\n- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS\n- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation\n[1.0.1e-34.3]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-34]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-33]\n- use the key length from configuration file if req -newkey rsa is invoked\n[1.0.1e-32]\n- avoid unnecessary reseeding in BN_rand in the FIPS mode\n[1.0.1e-31]\n- print ephemeral key size negotiated in TLS handshake (#1057715)\n- add DH_compute_key_padded needed for FIPS CAVS testing\n- make expiration and key length changeable by DAYS and KEYLEN\n variables in the certificate Makefile (#1058108)\n- change default hash to sha256 (#1062325)\n- lower the actual 3des strength so it is sorted behind aes128 (#1056616)\n[1:1.0.1e-30]\n- Mass rebuild 2014-01-24\n[1.0.1e-29]\n- rebuild with -O3 on ppc64 architecture\n[1.0.1e-28]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1:1.0.1e-27]\n- Mass rebuild 2013-12-27\n[1.0.1e-26]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n- drop weak ciphers from the default TLS ciphersuite list\n- add back some symbols that were dropped with update to 1.0.1 branch\n- more FIPS validation requirement changes\n[1.0.1e-25]\n- fix locking and reseeding problems with FIPS drbg\n[1.0.1e-24]\n- additional changes required for FIPS validation\n- disable verification of certificate, CRL, and OCSP signatures\n using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable\n is not set\n[1.0.1e-23]\n- add back support for secp521r1 EC curve\n- add aarch64 to Configure (#969692)\n[1.0.1e-22]\n- do not advertise ECC curves we do not support (#1022493)\n[1.0.1e-21]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n- drop the -fips subpackage, installation of dracut-fips marks that the FIPS\n module is installed\n- avoid dlopening libssl.so from libcrypto\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-20]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n- try to avoid some races when updating the -fips subpackage\n[1.0.1e-19]\n- use version-release in .hmac suffix to avoid overwrite\n during upgrade\n[1.0.1e-18]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-16]\n- add -fips subpackage that contains the FIPS module files\n[1.0.1e-15]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-14]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-13]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-12]\n- use _prefix macro\n[1.0.1e-11]\n- add openssl.cnf.5 manpage symlink to config.5\n[1.0.1e-10]\n- add relro linking flag\n[1.0.1e-9]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-8]\n- disable GOST engine\n[1.0.1e-7]\n- add symbol version for ECC functions\n[1.0.1e-6]\n- update the FIPS selftests to use 256 bit curves\n[1.0.1e-5]\n- enabled NIST Suite B ECC curves and algorithms\n[1.0.1e-4]\n- fix random bad record mac errors (#918981)\n[1.0.1e-3]\n- fix up the SHLIB_VERSION_NUMBER\n[1.0.1e-2]\n- disable ZLIB loading by default (due to CRIME attack)\n[1.0.1e-1]\n- new upstream version\n[1.0.1c-12]\n- more fixes from upstream\n- fix errors in manual causing build failure (#904777)\n[1.0.1c-11]\n- add script for renewal of a self-signed cert by Philip Prindeville (#871566)\n- allow X509_issuer_and_serial_hash() produce correct result in\n the FIPS mode (#881336)\n[1.0.1c-10]\n- do not load default verify paths if CApath or CAfile specified (#884305)\n[1.0.1c-9]\n- more fixes from upstream CVS\n- fix DSA key pairwise check (#878597)\n[1.0.1c-8]\n- use 1024 bit DH parameters in s_server as 512 bit is not allowed\n in FIPS mode and it is quite weak anyway\n[1.0.1c-7]\n- add missing initialization of str in aes_ccm_init_key (#853963)\n- add important patches from upstream CVS\n- use the secure_getenv() with new glibc\n[1:1.0.1c-6]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild\n[1.0.1c-5]\n- use __getenv_secure() instead of __libc_enable_secure\n[1.0.1c-4]\n- do not move libcrypto to /lib\n- do not use environment variables if __libc_enable_secure is on\n- fix strict aliasing problems in modes\n[1.0.1c-3]\n- fix DSA key generation in FIPS mode (#833866)\n- allow duplicate FIPS_mode_set(1)\n- enable build on ppc64 subarch (#834652)\n[1.0.1c-2]\n- fix s_server with new glibc when no global IPv6 address (#839031)\n- make it build with new Perl\n[1.0.1c-1]\n- new upstream version\n[1.0.1b-1]\n- new upstream version\n[1.0.1a-1]\n- new upstream version fixing CVE-2012-2110\n[1.0.1-3]\n- add Kerberos 5 libraries to pkgconfig for static linking (#807050)\n[1.0.1-2]\n- backports from upstream CVS\n- fix segfault when /dev/urandom is not available (#809586)\n[1.0.1-1]\n- new upstream release\n[1.0.1-0.3.beta3]\n- add obsoletes to assist multilib updates (#799636)\n[1.0.1-0.2.beta3]\n- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17\n- new upstream release from the 1.0.1 branch\n- fix s390x build (#798411)\n- versioning for the SSLeay symbol (#794950)\n- add -DPURIFY to build flags (#797323)\n- filter engine provides\n- split the libraries to a separate -libs package\n- add make to requires on the base package (#783446)\n[1.0.1-0.1.beta2]\n- new upstream release from the 1.0.1 branch, ABI compatible\n- add documentation for the -no_ign_eof option\n[1.0.0g-1]\n- new upstream release fixing CVE-2012-0050 - DoS regression in\n DTLS support introduced by the previous release (#782795)\n[1.0.0f-1]\n- new upstream release fixing multiple CVEs\n[1.0.0e-4]\n- move the libraries needed for static linking to Libs.private\n[1.0.0e-3]\n- do not use AVX instructions when osxsave bit not set\n- add direct known answer tests for SHA2 algorithms\n[1.0.0e-2]\n- fix missing initialization of variable in CHIL engine\n[1.0.0e-1]\n- new upstream release fixing CVE-2011-3207 (#736088)\n[1.0.0d-8]\n- drop the separate engine for Intel acceleration improvements\n and merge in the AES-NI, SHA1, and RC4 optimizations\n- add support for OPENSSL_DISABLE_AES_NI environment variable\n that disables the AES-NI support\n[1.0.0d-7]\n- correct openssl cms help output (#636266)\n- more tolerant starttls detection in XMPP protocol (#608239)\n[1.0.0d-6]\n- add support for newest Intel acceleration improvements backported\n from upstream by Intel in form of a separate engine\n[1.0.0d-5]\n- allow the AES-NI engine in the FIPS mode\n[1.0.0d-4]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0d-3]\n- add support for VIA Padlock on 64bit arch from upstream (#617539)\n- do not return bogus values from load_certs (#652286)\n[1.0.0d-2]\n- clarify apps help texts for available digest algorithms (#693858)\n[1.0.0d-1]\n- new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability)\n[1.0.0c-4]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild\n[1.0.0c-3]\n- add -x931 parameter to openssl genrsa command to use the ANSI X9.31\n key generation method\n- use FIPS-186-3 method for DSA parameter generation\n- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable\n to allow using MD5 when the system is in the maintenance state\n even if the /proc fips flag is on\n- make openssl pkcs12 command work by default in the FIPS mode\n[1.0.0c-2]\n- listen on ipv6 wildcard in s_server so we accept connections\n from both ipv4 and ipv6 (#601612)\n- fix openssl speed command so it can be used in the FIPS mode\n with FIPS allowed ciphers\n[1.0.0c-1]\n- new upstream version fixing CVE-2010-4180\n[1.0.0b-3]\n- replace the revert for the s390x bignum asm routines with\n fix from upstream\n[1.0.0b-2]\n- revert upstream change in s390x bignum asm routines\n[1.0.0b-1]\n- new upstream version fixing CVE-2010-3864 (#649304)\n[1.0.0a-3]\n- make SHLIB_VERSION reflect the library suffix\n[1.0.0a-2]\n- openssl man page fix (#609484)\n[1.0.0a-1]\n- new upstream patch release, fixes CVE-2010-0742 (#598738)\n and CVE-2010-1633 (#598732)\n[1.0.0-5]\n- pkgconfig files now contain the correct libdir (#593723)\n[1.0.0-4]\n- make CA dir readable - the private keys are in private subdir (#584810)\n[1.0.0-3]\n- a few fixes from upstream CVS\n- move libcrypto to /lib (#559953)\n[1.0.0-2]\n- set UTC timezone on pod2man run (#578842)\n- make X509_NAME_hash_old work in FIPS mode\n[1.0.0-1]\n- update to final 1.0.0 upstream release\n[1.0.0-0.22.beta5]\n- make TLS work in the FIPS mode\n[1.0.0-0.21.beta5]\n- gracefully handle zero length in assembler implementations of\n OPENSSL_cleanse (#564029)\n- do not fail in s_server if client hostname not resolvable (#561260)\n[1.0.0-0.20.beta5]\n- new upstream release\n[1.0.0-0.19.beta4]\n- fix CVE-2009-4355 - leak in applications incorrectly calling\n CRYPTO_free_all_ex_data() before application exit (#546707)\n- upstream fix for future TLS protocol version handling\n[1.0.0-0.18.beta4]\n- add support for Intel AES-NI\n[1.0.0-0.17.beta4]\n- upstream fix compression handling on session resumption\n- various null checks and other small fixes from upstream\n- upstream changes for the renegotiation info according to the latest draft\n[1.0.0-0.16.beta4]\n- fix non-fips mingw build (patch by Kalev Lember)\n- add IPV6 fix for DTLS\n[1.0.0-0.15.beta4]\n- add better error reporting for the unsafe renegotiation\n[1.0.0-0.14.beta4]\n- fix build on s390x\n[1.0.0-0.13.beta4]\n- disable enforcement of the renegotiation extension on the client (#537962)\n- add fixes from the current upstream snapshot\n[1.0.0-0.12.beta4]\n- keep the beta status in version number at 3 so we do not have to rebuild\n openssh and possibly other dependencies with too strict version check\n[1.0.0-0.11.beta4]\n- update to new upstream version, no soname bump needed\n- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used\n so the compatibility with unfixed clients is not broken. The\n protocol extension is also not final.\n[1.0.0-0.10.beta3]\n- fix use of freed memory if SSL_CTX_free() is called before\n SSL_free() (#521342)\n[1.0.0-0.9.beta3]\n- fix typo in DTLS1 code (#527015)\n- fix leak in error handling of d2i_SSL_SESSION()\n[1.0.0-0.8.beta3]\n- fix RSA and DSA FIPS selftests\n- reenable fixed x86_64 camellia assembler code (#521127)\n[1.0.0-0.7.beta3]\n- temporarily disable x86_64 camellia assembler code (#521127)\n[1.0.0-0.6.beta3]\n- fix openssl dgst -dss1 (#520152)\n[1.0.0-0.5.beta3]\n- drop the compat symlink hacks\n[1.0.0-0.4.beta3]\n- constify SSL_CIPHER_description()\n[1.0.0-0.3.beta3]\n- fix WWW:Curl:Easy reference in tsget\n[1.0.0-0.2.beta3]\n- enable MD-2\n[1.0.0-0.1.beta3]\n- update to new major upstream release\n[0.9.8k-7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild\n* Wed Jul 22 2009 Bill Nottingham \n- do not build special 'optimized' versions for i686, as that's the base\n arch in Fedora now\n[0.9.8k-6]\n- abort if selftests failed and random number generator is polled\n- mention EVP_aes and EVP_sha2xx routines in the manpages\n- add README.FIPS\n- make CA dir absolute path (#445344)\n- change default length for RSA key generation to 2048 (#484101)\n[0.9.8k-5]\n- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379\n (DTLS DoS problems) (#501253, #501254, #501572)\n[0.9.8k-4]\n- support compatibility DTLS mode for CISCO AnyConnect (#464629)\n[0.9.8k-3]\n- correct the SHLIB_VERSION define\n[0.9.8k-2]\n- add support for multiple CRLs with same subject\n- load only dynamic engine support in FIPS mode\n[0.9.8k-1]\n- update to new upstream release (minor bug fixes, security\n fixes and machine code optimizations only)\n[0.9.8j-10]\n- move libraries to /usr/lib (#239375)\n[0.9.8j-9]\n- add a static subpackage\n[0.9.8j-8]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n[0.9.8j-7]\n- must also verify checksum of libssl.so in the FIPS mode\n- obtain the seed for FIPS rng directly from the kernel device\n- drop the temporary symlinks\n[0.9.8j-6]\n- drop the temporary triggerpostun and symlinking in post\n- fix the pkgconfig files and drop the unnecessary buildrequires\n on pkgconfig as it is a rpmbuild dependency (#481419)\n[0.9.8j-5]\n- add temporary triggerpostun to reinstate the symlinks\n[0.9.8j-4]\n- no pairwise key tests in non-fips mode (#479817)\n[0.9.8j-3]\n- even more robust test for the temporary symlinks\n[0.9.8j-2]\n- try to ensure the temporary symlinks exist\n[0.9.8j-1]\n- new upstream version with necessary soname bump (#455753)\n- temporarily provide symlink to old soname to make it possible to rebuild\n the dependent packages in rawhide\n- add eap-fast support (#428181)\n- add possibility to disable zlib by setting\n- add fips mode support for testing purposes\n- do not null dereference on some invalid smime files\n- add buildrequires pkgconfig (#479493)\n[0.9.8g-11]\n- do not add tls extensions to server hello for SSLv3 either\n[0.9.8g-10]\n- move root CA bundle to ca-certificates package\n[0.9.8g-9]\n- fix CVE-2008-0891 - server name extension crash (#448492)\n- fix CVE-2008-1672 - server key exchange message omit crash (#448495)\n[0.9.8g-8]\n- super-H arch support\n- drop workaround for bug 199604 as it should be fixed in gcc-4.3\n[0.9.8g-7]\n- sparc handling\n[0.9.8g-6]\n- update to new root CA bundle from mozilla.org (r1.45)\n[0.9.8g-5]\n- Autorebuild for GCC 4.3\n[0.9.8g-4]\n- merge review fixes (#226220)\n- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)\n[0.9.8g-3]\n- set default paths when no explicit paths are set (#418771)\n- do not add tls extensions to client hello for SSLv3 (#422081)\n[0.9.8g-2]\n- enable some new crypto algorithms and features\n- add some more important bug fixes from openssl CVS\n[0.9.8g-1]\n- update to latest upstream release, SONAME bumped to 7\n[0.9.8b-17]\n- update to new CA bundle from mozilla.org\n[0.9.8b-16]\n- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)\n- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)\n- add alpha sub-archs (#296031)\n[0.9.8b-15]\n- rebuild\n[0.9.8b-14]\n- use localhost in testsuite, hopefully fixes slow build in koji\n- CVE-2007-3108 - fix side channel attack on private keys (#250577)\n- make ssl session cache id matching strict (#233599)\n[0.9.8b-13]\n- allow building on ARM architectures (#245417)\n- use reference timestamps to prevent multilib conflicts (#218064)\n- -devel package must require pkgconfig (#241031)\n[0.9.8b-12]\n- detect duplicates in add_dir properly (#206346)\n[0.9.8b-11]\n- the previous change still didn't make X509_NAME_cmp transitive\n[0.9.8b-10]\n- make X509_NAME_cmp transitive otherwise certificate lookup\n is broken (#216050)\n[0.9.8b-9]\n- aliasing bug in engine loading, patch by IBM (#213216)\n[0.9.8b-8]\n- CVE-2006-2940 fix was incorrect (#208744)\n[0.9.8b-7]\n- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)\n- fix CVE-2006-2940 - parasitic public keys DoS (#207274)\n- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)\n- fix CVE-2006-4343 - sslv2 client DoS (#206940)\n[0.9.8b-6]\n- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)\n[0.9.8b-5]\n- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)\n patch by IBM\n[0.9.8b-4.1]\n- rebuild with new binutils (#200330)\n[0.9.8b-4]\n- add a temporary workaround for sha512 test failure on s390 (#199604)\n* Thu Jul 20 2006 Tomas Mraz \n- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)\n- add patches for BN threadsafety, AES cache collision attack hazard fix and\n pkcs7 code memleak fix from upstream CVS\n[0.9.8b-3.1]\n- rebuild\n[0.9.8b-3]\n- dropped libica and ica engine from build\n* Wed Jun 21 2006 Joe Orton \n- update to new CA bundle from mozilla.org; adds CA certificates\n from netlock.hu and startcom.org\n[0.9.8b-2]\n- fixed a few rpmlint warnings\n- better fix for #173399 from upstream\n- upstream fix for pkcs12\n[0.9.8b-1]\n- upgrade to new version, stays ABI compatible\n- there is no more linux/config.h (it was empty anyway)\n[0.9.8a-6]\n- fix stale open handles in libica (#177155)\n- fix build if 'rand' or 'passwd' in buildroot path (#178782)\n- initialize VIA Padlock engine (#186857)\n[0.9.8a-5.2]\n- bump again for double-long bug on ppc(64)\n[0.9.8a-5.1]\n- rebuilt for new gcc4.1 snapshot and glibc changes\n[0.9.8a-5]\n- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n in SSL_OP_ALL (#175779)\n* Fri Dec 09 2005 Jesse Keating \n- rebuilt\n[0.9.8a-4]\n- fix build (-lcrypto was erroneusly dropped) of the updated libica\n- updated ICA engine to 1.3.6-rc3\n[0.9.8a-3]\n- disable builtin compression methods for now until they work\n properly (#173399)\n[0.9.8a-2]\n- don't set -rpath for openssl binary\n[0.9.8a-1]\n- new upstream version\n- patches partially renumbered\n[0.9.7f-11]\n- updated IBM ICA engine library and patch to latest upstream version\n[0.9.7f-10]\n- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which\n disables the countermeasure against man in the middle attack in SSLv2\n (#169863)\n- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)\n[0.9.7f-9]\n- add *.so.soversion as symlinks in /lib (#165264)\n- remove unpackaged symlinks (#159595)\n- fixes from upstream (constant time fixes for DSA,\n bn assembler div on ppc arch, initialize memory on realloc)\n[0.9.7f-8]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7f-7]\n- fix CAN-2005-0109 - use constant time/memory access mod_exp\n so bits of private key aren't leaked by cache eviction (#157631)\n- a few more fixes from upstream 0.9.7g\n[0.9.7f-6]\n- use poll instead of select in rand (#128285)\n- fix Makefile.certificate to point to /etc/pki/tls\n- change the default string mask in ASN1 to PrintableString+UTF8String\n[0.9.7f-5]\n- update to revision 1.37 of Mozilla CA bundle\n[0.9.7f-4]\n- move certificates to _sysconfdir/pki/tls (#143392)\n- move CA directories to _sysconfdir/pki/CA\n- patch the CA script and the default config so it points to the\n CA directories\n[0.9.7f-3]\n- uninitialized variable mustn't be used as input in inline\n assembly\n- reenable the x86_64 assembly again\n[0.9.7f-2]\n- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken\n- disable broken bignum assembly on x86_64\n[0.9.7f-1]\n- reenable optimizations on ppc64 and assembly code on ia64\n- upgrade to new upstream version (no soname bump needed)\n- disable thread test - it was testing the backport of the\n RSA blinding - no longer needed\n- added support for changing serial number to\n Makefile.certificate (#151188)\n- make ca-bundle.crt a config file (#118903)\n[0.9.7e-3]\n- libcrypto shouldn't depend on libkrb5 (#135961)\n[0.9.7e-2]\n- rebuild\n[0.9.7e-1]\n- new upstream source, updated patches\n- added patch so we are hopefully ABI compatible with upcoming\n 0.9.7f\n* Thu Feb 10 2005 Tomas Mraz \n- Support UTF-8 charset in the Makefile.certificate (#134944)\n- Added cmp to BuildPrereq\n[0.9.7a-46]\n- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)\n[0.9.7a-45]\n- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)\n[0.9.7a-44]\n- rebuild\n[0.9.7a-43]\n- rebuild\n[0.9.7a-42]\n- rebuild\n[0.9.7a-41]\n- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)\n[0.9.7a-40]\n- Include latest libica version with important bugfixes\n* Tue Jun 15 2004 Elliot Lee \n- rebuilt\n[0.9.7a-38]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7a-37]\n- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)\n[0.9.7a-36]\n- handle %{_arch}=i486/i586/i686/athlon cases in the intermediate\n header (#124303)\n[0.9.7a-35]\n- add security fixes for CAN-2004-0079, CAN-2004-0112\n* Tue Mar 16 2004 Phil Knirsch \n- Fixed libica filespec.\n[0.9.7a-34]\n- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix\n the intermediate header\n[0.9.7a-33]\n- add an intermediate \n which points to the right\n arch-specific opensslconf.h on multilib arches\n* Tue Mar 02 2004 Elliot Lee \n- rebuilt\n[0.9.7a-32]\n- Updated libica to latest upstream version 1.3.5.\n[0.9.7a-31]\n- Update ICA crypto engine patch from IBM to latest version.\n* Fri Feb 13 2004 Elliot Lee \n- rebuilt\n[0.9.7a-29]\n- rebuilt\n[0.9.7a-28]\n- Fixed libica build.\n* Wed Feb 04 2004 Nalin Dahyabhai \n- add '-ldl' to link flags added for Linux-on-ARM (#99313)\n[0.9.7a-27]\n- updated ca-bundle.crt: removed expired GeoTrust roots, added\n freessl.com root, removed trustcenter.de Class 0 root\n[0.9.7a-26]\n- Fix link line for libssl (bug #111154).\n[0.9.7a-25]\n- add dependency on zlib-devel for the -devel package, which depends on zlib\n symbols because we enable zlib for libssl (#102962)\n[0.9.7a-24]\n- Use /dev/urandom instead of PRNG for libica.\n- Apply libica-1.3.5 fix for /dev/urandom in icalinux.c\n- Use latest ICA engine patch from IBM.\n[0.9.7a-22.1]\n- rebuild\n[0.9.7a-22]\n- rebuild (22 wasn't actually built, fun eh?)\n[0.9.7a-23]\n- re-disable optimizations on ppc64\n* Tue Sep 30 2003 Joe Orton \n- add a_mbstr.c fix for 64-bit platforms from CVS\n[0.9.7a-22]\n- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged\n as not needing executable stacks\n[0.9.7a-21]\n- rebuild\n* Thu Sep 25 2003 Nalin Dahyabhai \n- re-enable optimizations on ppc64\n* Thu Sep 25 2003 Nalin Dahyabhai \n- remove exclusivearch\n[0.9.7a-20]\n- only parse a client cert if one was requested\n- temporarily exclusivearch for %{ix86}\n* Tue Sep 23 2003 Nalin Dahyabhai \n- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)\n and heap corruption (CAN-2003-0545)\n- update RHNS-CA-CERT files\n- ease back on the number of threads used in the threading test\n[0.9.7a-19]\n- rebuild to fix gzipped file md5sums (#91211)\n[0.9.7a-18]\n- Updated libica to version 1.3.4.\n[0.9.7a-17]\n- rebuild\n[0.9.7a-10.9]\n- free the kssl_ctx structure when we free an SSL structure (#99066)\n[0.9.7a-16]\n- rebuild\n[0.9.7a-15]\n- lower thread test count on s390x\n[0.9.7a-14]\n- rebuild\n[0.9.7a-13]\n- disable assembly on arches where it seems to conflict with threading\n[0.9.7a-12]\n- Updated libica to latest upstream version 1.3.0\n[0.9.7a-9.9]\n- rebuild\n[0.9.7a-11]\n- rebuild\n[0.9.7a-10]\n- ubsec: don't stomp on output data which might also be input data\n[0.9.7a-9]\n- temporarily disable optimizations on ppc64\n* Mon Jun 09 2003 Nalin Dahyabhai \n- backport fix for engine-used-for-everything from 0.9.7b\n- backport fix for prng not being seeded causing problems, also from 0.9.7b\n- add a check at build-time to ensure that RSA is thread-safe\n- keep perlpath from stomping on the libica configure scripts\n* Fri Jun 06 2003 Nalin Dahyabhai \n- thread-safety fix for RSA blinding\n[0.9.7a-8]\n- rebuilt\n[0.9.7a-7]\n- Added libica-1.2 to openssl (featurerequest).\n[0.9.7a-6]\n- fix building with incorrect flags on ppc64\n[0.9.7a-5]\n- add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's\n attack (CAN-2003-0131)\n[ 0.9.7a-4]\n- add patch to enable RSA blinding by default, closing a timing attack\n (CAN-2003-0147)\n[0.9.7a-3]\n- disable use of BN assembly module on x86_64, but continue to allow inline\n assembly (#83403)\n[0.9.7a-2]\n- disable EC algorithms\n[0.9.7a-1]\n- update to 0.9.7a\n[0.9.7-8]\n- add fix to guard against attempts to allocate negative amounts of memory\n- add patch for CAN-2003-0078, fixing a timing attack\n[0.9.7-7]\n- Add openssl-ppc64.patch\n[0.9.7-6]\n- EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),\n to get the right behavior when passed uninitialized context structures\n (#83766)\n- build with -mcpu=ev5 on alpha family (#83828)\n* Wed Jan 22 2003 Tim Powers \n- rebuilt\n[0.9.7-4]\n- Added IBM hw crypto support patch.\n* Wed Jan 15 2003 Nalin Dahyabhai \n- add missing builddep on sed\n[0.9.7-3]\n- debloat\n- fix broken manpage symlinks\n[0.9.7-2]\n- fix double-free in 'openssl ca'\n[0.9.7-1]\n- update to 0.9.7 final\n[0.9.7-0]\n- update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n* Wed Dec 11 2002 Nalin Dahyabhai \n- update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n[0.9.6b-30]\n- add configuration stanza for x86_64 and use it on x86_64\n- build for linux-ppc on ppc\n- start running the self-tests again\n[0.9.6b-29hammer.3]\n- Merge fixes from previous hammer packages, including general x86-64 and\n multilib\n[0.9.6b-29]\n- rebuild\n[0.9.6b-28]\n- update asn patch to fix accidental reversal of a logic check\n[0.9.6b-27]\n- update asn patch to reduce chance that compiler optimization will remove\n one of the added tests\n[0.9.6b-26]\n- rebuild\n[0.9.6b-25]\n- add patch to fix ASN.1 vulnerabilities\n[0.9.6b-24]\n- add backport of Ben Laurie's patches for OpenSSL 0.9.6d\n[0.9.6b-23]\n- own {_datadir}/ssl/misc\n* Fri Jun 21 2002 Tim Powers \n- automated rebuild\n* Sun May 26 2002 Tim Powers \n- automated rebuild\n[0.9.6b-20]\n- free ride through the build system (whee!)\n[0.9.6b-19]\n- rebuild in new environment\n[0.9.6b-17, 0.9.6b-18]\n- merge RHL-specific bits into stronghold package, rename\n[stronghold-0.9.6c-2]\n- add support for Chrysalis Luna token\n* Tue Mar 26 2002 Gary Benson \n- disable AEP random number generation, other AEP fixes\n[0.9.6b-15]\n- only build subpackages on primary arches\n[0.9.6b-13]\n- on ia32, only disable use of assembler on i386\n- enable assembly on ia64\n[0.9.6b-11]\n- fix sparcv9 entry\n[stronghold-0.9.6c-1]\n- upgrade to 0.9.6c\n- bump BuildArch to i686 and enable assembler on all platforms\n- synchronise with shrimpy and rawhide\n- bump soversion to 3\n* Wed Oct 10 2001 Florian La Roche \n- delete BN_LLONG for s390x, patch from Oliver Paukstadt\n[0.9.6b-9]\n- update AEP driver patch\n* Mon Sep 10 2001 Nalin Dahyabhai \n- adjust RNG disabling patch to match version of patch from Broadcom\n[0.9.6b-8]\n- disable the RNG in the ubsec engine driver\n[0.9.6b-7]\n- tweaks to the ubsec engine driver\n[0.9.6b-6]\n- tweaks to the ubsec engine driver\n[0.9.6b-5]\n- update ubsec engine driver from Broadcom\n[0.9.6b-4]\n- move man pages back to %{_mandir}/man?/foo.?ssl from\n %{_mandir}/man?ssl/foo.?\n- add an [ engine ] section to the default configuration file\n* Thu Aug 09 2001 Nalin Dahyabhai \n- add a patch for selecting a default engine in SSL_library_init()\n[0.9.6b-3]\n- add patches for AEP hardware support\n- add patch to keep trying when we fail to load a cert from a file and\n there are more in the file\n- add missing prototype for ENGINE_ubsec() in engine_int.h\n[0.9.6b-2]\n- actually add hw_ubsec to the engine list\n* Tue Jul 17 2001 Nalin Dahyabhai \n- add in the hw_ubsec driver from CVS\n[0.9.6b-1]\n- update to 0.9.6b\n* Thu Jul 05 2001 Nalin Dahyabhai \n- move .so symlinks back to %{_libdir}\n* Tue Jul 03 2001 Nalin Dahyabhai \n- move shared libraries to /lib (#38410)\n* Mon Jun 25 2001 Nalin Dahyabhai \n- switch to engine code base\n* Mon Jun 18 2001 Nalin Dahyabhai \n- add a script for creating dummy certificates\n- move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?\n* Thu Jun 07 2001 Florian La Roche \n- add s390x support\n* Fri Jun 01 2001 Nalin Dahyabhai \n- change two memcpy() calls to memmove()\n- don't define L_ENDIAN on alpha\n[stronghold-0.9.6a-1]\n- Add 'stronghold-' prefix to package names.\n- Obsolete standard openssl packages.\n* Wed May 16 2001 Joe Orton \n- Add BuildArch: i586 as per Nalin's advice.\n* Tue May 15 2001 Joe Orton \n- Enable assembler on ix86 (using new .tar.bz2 which does\n include the asm directories).\n* Tue May 15 2001 Nalin Dahyabhai \n- make subpackages depend on the main package\n* Tue May 01 2001 Nalin Dahyabhai \n- adjust the hobble script to not disturb symlinks in include/ (fix from\n Joe Orton)\n* Fri Apr 27 2001 Nalin Dahyabhai \n- drop the m2crypo patch we weren't using\n* Tue Apr 24 2001 Nalin Dahyabhai \n- configure using 'shared' as well\n* Sun Apr 08 2001 Nalin Dahyabhai \n- update to 0.9.6a\n- use the build-shared target to build shared libraries\n- bump the soversion to 2 because we're no longer compatible with\n our 0.9.5a packages or our 0.9.6 packages\n- drop the patch for making rsatest a no-op when rsa null support is used\n- put all man pages into \nssl instead of \n- break the m2crypto modules into a separate package\n* Tue Mar 13 2001 Nalin Dahyabhai \n- use BN_LLONG on s390\n* Mon Mar 12 2001 Nalin Dahyabhai \n- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)\n* Sat Mar 03 2001 Nalin Dahyabhai \n- move c_rehash to the perl subpackage, because it's a perl script now\n* Fri Mar 02 2001 Nalin Dahyabhai \n- update to 0.9.6\n- enable MD2\n- use the libcrypto.so and libssl.so targets to build shared libs with\n- bump the soversion to 1 because we're no longer compatible with any of\n the various 0.9.5a packages circulating around, which provide lib*.so.0\n* Wed Feb 28 2001 Florian La Roche \n- change hobble-openssl for disabling MD2 again\n* Tue Feb 27 2001 Nalin Dahyabhai \n- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152\n bytes or so, causing EVP_DigestInit() to zero out stack variables in\n apps built against a version of the library without it\n* Mon Feb 26 2001 Nalin Dahyabhai \n- disable some inline assembly, which on x86 is Pentium-specific\n- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)\n* Thu Feb 08 2001 Florian La Roche \n- fix s390 patch\n* Fri Dec 08 2000 Than Ngo \n- added support s390\n* Mon Nov 20 2000 Nalin Dahyabhai \n- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)\n- add the CA.pl man page to the perl subpackage\n* Thu Nov 02 2000 Nalin Dahyabhai \n- always build with -mcpu=ev5 on alpha\n* Tue Oct 31 2000 Nalin Dahyabhai \n- add a symlink from cert.pem to ca-bundle.crt\n* Wed Oct 25 2000 Nalin Dahyabhai \n- add a ca-bundle file for packages like Samba to reference for CA certificates\n* Tue Oct 24 2000 Nalin Dahyabhai \n- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)\n* Mon Oct 02 2000 Nalin Dahyabhai \n- add unzip as a buildprereq (#17662)\n- update m2crypto to 0.05-snap4\n* Tue Sep 26 2000 Bill Nottingham \n- fix some issues in building when it's not installed\n* Wed Sep 06 2000 Nalin Dahyabhai \n- make sure the headers we include are the ones we built with (aaaaarrgh!)\n* Fri Sep 01 2000 Nalin Dahyabhai \n- add Richard Henderson's patch for BN on ia64\n- clean up the changelog\n* Tue Aug 29 2000 Nalin Dahyabhai \n- fix the building of python modules without openssl-devel already installed\n* Wed Aug 23 2000 Nalin Dahyabhai \n- byte-compile python extensions without the build-root\n- adjust the makefile to not remove temporary files (like .key files when\n building .csr files) by marking them as .PRECIOUS\n* Sat Aug 19 2000 Nalin Dahyabhai \n- break out python extensions into a subpackage\n* Mon Jul 17 2000 Nalin Dahyabhai \n- tweak the makefile some more\n* Tue Jul 11 2000 Nalin Dahyabhai \n- disable MD2 support\n* Thu Jul 06 2000 Nalin Dahyabhai \n- disable MDC2 support\n* Sun Jul 02 2000 Nalin Dahyabhai \n- tweak the disabling of RC5, IDEA support\n- tweak the makefile\n* Thu Jun 29 2000 Nalin Dahyabhai \n- strip binaries and libraries\n- rework certificate makefile to have the right parts for Apache\n* Wed Jun 28 2000 Nalin Dahyabhai \n- use %{_perl} instead of /usr/bin/perl\n- disable alpha until it passes its own test suite\n* Fri Jun 09 2000 Nalin Dahyabhai \n- move the passwd.1 man page out of the passwd package's way\n* Fri Jun 02 2000 Nalin Dahyabhai \n- update to 0.9.5a, modified for U.S.\n- add perl as a build-time requirement\n- move certificate makefile to another package\n- disable RC5, IDEA, RSA support\n- remove optimizations for now\n* Wed Mar 01 2000 Florian La Roche \n- Bero told me to move the Makefile into this package\n* Wed Mar 01 2000 Florian La Roche \n- add lib*.so symlinks to link dynamically against shared libs\n* Tue Feb 29 2000 Florian La Roche \n- update to 0.9.5\n- run ldconfig directly in post/postun\n- add FAQ\n* Sat Dec 18 1999 Bernhard Rosenkrdnzer \n- Fix build on non-x86 platforms\n* Fri Nov 12 1999 Bernhard Rosenkrdnzer \n- move /usr/share/ssl/* from -devel to main package\n* Tue Oct 26 1999 Bernhard Rosenkrdnzer \n- inital packaging\n- changes from base:\n - Move /usr/local/ssl to /usr/share/ssl for FHS compliance\n - handle RPM_OPT_FLAGS", "modified": "2019-03-13T00:00:00", "published": "2019-03-13T00:00:00", "id": "ELSA-2019-4581", "href": "http://linux.oracle.com/errata/ELSA-2019-4581.html", "title": "openssl security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-16T20:46:18", "bulletinFamily": "unix", "description": "[1.0.1e-58.0.1]\n- Oracle bug 28730228: backport CVE-2018-0732\n- Oracle bug 28758493: backport CVE-2018-0737\n- Merge upstream patch to fix CVE-2018-0739\n- Avoid out-of-bounds read. Fixes CVE 2017-3735. By Rich Salz\n- sha256 is used for the RSA pairwise consistency test instead of sha1\n[1.0.1e-58]\n- fix CVE-2019-1559 - 0-byte record padding oracle\n[1.0.1e-57]\n- fix CVE-2017-3731 - DoS via truncated packets with RC4-MD5 cipher\n[1.0.1e-55]\n- fix CVE-2016-8610 - DoS of single-threaded servers via excessive alerts\n[1.0.1e-54]\n- fix handling of ciphersuites present after the FALLBACK_SCSV\n ciphersuite entry (#1386350)\n[1.0.1e-53]\n- add README.legacy-settings\n[1.0.1e-52]\n- deprecate and disable verification of insecure hash algorithms\n- disallow DH keys with less than 1024 bits in TLS client\n- remove support for weak and export ciphersuites\n- use correct digest when exporting keying material in TLS1.2 (#1376741)\n[1.0.1e-50]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n- replace expired testing certificates\n[1.0.1e-49]\n- fix CVE-2016-2105 - possible overflow in base64 encoding\n- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()\n- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC\n- fix CVE-2016-2108 - memory corruption in ASN.1 encoder\n- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO\n- fix CVE-2016-0799 - memory issues in BIO_printf\n[1.0.1e-48]\n- fix CVE-2016-0702 - side channel attack on modular exponentiation\n- fix CVE-2016-0705 - double-free in DSA private key parsing\n- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn\n[1.0.1e-47]\n- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement\n- disable SSLv2 in the generic TLS method\n[1.0.1e-46]\n- fix 1-byte memory leak in pkcs12 parse (#1229871)\n- document some options of the speed command (#1197095)\n[1.0.1e-45]\n- fix high-precision timestamps in timestamping authority\n[1.0.1e-44]\n- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2\n[1.0.1e-43]\n- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter\n- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak\n- fix CVE-2015-3196 - race condition when handling PSK identity hint\n[1.0.1e-42]\n- fix regression caused by mistake in fix for CVE-2015-1791\n[1.0.1e-41]\n- improved fix for CVE-2015-1791\n- add missing parts of CVE-2015-0209 fix for corectness although unexploitable\n[1.0.1e-40]\n- fix CVE-2014-8176 - invalid free in DTLS buffering code\n- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time\n- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent\n- fix CVE-2015-1791 - race condition handling NewSessionTicket\n- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function\n[1.0.1e-39]\n- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on\n read in multithreaded applications\n[1.0.1e-38]\n- fix CVE-2015-4000 - prevent the logjam attack on client - restrict\n the DH key size to at least 768 bits (limit will be increased in future)\n[1.0.1e-37]\n- drop the AES-GCM restriction of 2^32 operations because the IV is\n always 96 bits (32 bit fixed field + 64 bit invocation field)\n[1.0.1e-36]\n- update fix for CVE-2015-0287 to what was released upstream\n[1.0.1e-35]\n- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()\n- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server\n[1.0.1e-34]\n- copy digest algorithm when handling SNI context switch\n- improve documentation of ciphersuites - patch by Hubert Kario\n- add support for setting Kerberos service and keytab in\n s_server and s_client\n[1.0.1e-33]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\n[1.0.1e-32]\n- use FIPS approved method for computation of d in RSA\n[1.0.1e-31]\n- fix CVE-2014-3567 - memory leak when handling session tickets\n- fix CVE-2014-3513 - memory leak in srtp support\n- add support for fallback SCSV to partially mitigate CVE-2014-3566\n (padding attack on SSL3)\n[1.0.1e-30]\n- add ECC TLS extensions to DTLS (#1119800)\n[1.0.1e-29]\n- fix CVE-2014-3505 - doublefree in DTLS packet processing\n- fix CVE-2014-3506 - avoid memory exhaustion in DTLS\n- fix CVE-2014-3507 - avoid memory leak in DTLS\n- fix CVE-2014-3508 - fix OID handling to avoid information leak\n- fix CVE-2014-3509 - fix race condition when parsing server hello\n- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS\n- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation\n[1.0.1e-28]\n- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support\n[1.0.1e-26]\n- drop EXPORT, RC2, and DES from the default cipher list (#1057520)\n- print ephemeral key size negotiated in TLS handshake (#1057715)\n- do not include ECC ciphersuites in SSLv2 client hello (#1090952)\n- properly detect encryption failure in BIO (#1100819)\n- fail on hmac integrity check if the .hmac file is empty (#1105567)\n- FIPS mode: make the limitations on DSA, DH, and RSA keygen\n length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment\n variable is set\n[1.0.1e-25]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-24]\n- add back support for secp521r1 EC curve\n[1.0.1e-23]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-22]\n- use 2048 bit RSA key in FIPS selftests\n[1.0.1e-21]\n- add DH_compute_key_padded needed for FIPS CAVS testing\n- make 3des strength to be 128 bits instead of 168 (#1056616)\n- FIPS mode: do not generate DSA keys and DH parameters < 2048 bits\n- FIPS mode: use approved RSA keygen (allows only 2048 and 3072 bit keys)\n- FIPS mode: add DH selftest\n- FIPS mode: reseed DRBG properly on RAND_add()\n- FIPS mode: add RSA encrypt/decrypt selftest\n- FIPS mode: add hard limit for 2^32 GCM block encryptions with the same key\n- use the key length from configuration file if req -newkey rsa is invoked\n[1.0.1e-20]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n[1.0.1e-19]\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1.0.1e-18]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n[1.0.1e-17]\n- add back some no-op symbols that were inadvertently dropped\n[1.0.1e-16]\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1e-15]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n[1.0.1e-14]\n- installation of dracut-fips marks that the FIPS module is installed\n[1.0.1e-13]\n- avoid dlopening libssl.so from libcrypto\n[1.0.1e-12]\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-11]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n[1.0.1e-9]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-8]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-7]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-6]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-5]\n- use _prefix macro\n[1.0.1e-4]\n- add relro linking flag\n[1.0.1e-2]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-1]\n- rebase to the 1.0.1e upstream version\n[1.0.0-28]\n- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)\n- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)\n- enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB\n environment variable is set (fixes CVE-2012-4929 #857051)\n- use __secure_getenv() everywhere instead of getenv() (#839735)\n[1.0.0-27]\n- fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)\n- drop superfluous lib64 fixup in pkgconfig .pc files (#770872)\n- force BIO_accept_new(*:\n) to listen on IPv4\n[1.0.0-26]\n- use PKCS#8 when writing private keys in FIPS mode as the old\n PEM encryption mode is not FIPS compatible (#812348)\n[1.0.0-25]\n- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)\n- properly initialize tkeylen in the CVE-2012-0884 fix\n[1.0.0-24]\n- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)\n[1.0.0-23]\n- fix problem with the SGC restart patch that might terminate handshake\n incorrectly\n- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)\n- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)\n[1.0.0-22]\n- fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes\n[1.0.0-21]\n- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery\n vulnerability and additional DTLS fixes (#771770)\n- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)\n- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)\n- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)\n[1.0.0-20]\n- fix x86cpuid.pl - patch by Paolo Bonzini\n[1.0.0-19]\n- add known answer test for SHA2 algorithms\n[1.0.0-18]\n- fix missing initialization of a variable in the CHIL engine (#740188)\n[1.0.0-17]\n- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207\n (#736087)\n[1.0.0-16]\n- merge the optimizations for AES-NI, SHA1, and RC4 from the intelx\n engine to the internal implementations\n[1.0.0-15]\n- better documentation of the available digests in apps (#693858)\n- backported CHIL engine fixes (#693863)\n- allow testing build without downstream patches (#708511)\n- enable partial RELRO when linking (#723994)\n- add intelx engine with improved performance on new Intel CPUs\n- add OPENSSL_DISABLE_AES_NI environment variable which disables\n the AES-NI support (does not affect the intelx engine)\n[1.0.0-14]\n- use the AES-NI engine in the FIPS mode\n[1.0.0-11]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0-10]\n- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)\n- correct the README.FIPS document\n[1.0.0-8]\n- add -x931 parameter to openssl genrsa command to use the ANSI X9.31\n key generation method\n- use FIPS-186-3 method for DSA parameter generation\n- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable\n to allow using MD5 when the system is in the maintenance state\n even if the /proc fips flag is on\n- make openssl pkcs12 command work by default in the FIPS mode\n[1.0.0-7]\n- listen on ipv6 wildcard in s_server so we accept connections\n from both ipv4 and ipv6 (#601612)\n- fix openssl speed command so it can be used in the FIPS mode\n with FIPS allowed ciphers (#619762)\n[1.0.0-6]\n- disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - CVE-2010-3864\n (#649304)\n[1.0.0-5]\n- fix race in extension parsing code - CVE-2010-3864 (#649304)\n[1.0.0-4]\n- openssl man page fix (#609484)\n[1.0.0-3]\n- fix wrong ASN.1 definition of OriginatorInfo - CVE-2010-0742 (#598738)\n- fix information leak in rsa_verify_recover - CVE-2010-1633 (#598732)\n[1.0.0-2]\n- make CA dir readable - the private keys are in private subdir (#584810)\n- a few fixes from upstream CVS\n- make X509_NAME_hash_old work in FIPS mode (#568395)\n[1.0.0-1]\n- update to final 1.0.0 upstream release\n[1.0.0-0.22.beta5]\n- make TLS work in the FIPS mode\n[1.0.0-0.21.beta5]\n- gracefully handle zero length in assembler implementations of\n OPENSSL_cleanse (#564029)\n- do not fail in s_server if client hostname not resolvable (#561260)\n[1.0.0-0.20.beta5]\n- new upstream release\n[1.0.0-0.19.beta4]\n- fix CVE-2009-4355 - leak in applications incorrectly calling\n CRYPTO_free_all_ex_data() before application exit (#546707)\n- upstream fix for future TLS protocol version handling\n[1.0.0-0.18.beta4]\n- add support for Intel AES-NI\n[1.0.0-0.17.beta4]\n- upstream fix compression handling on session resumption\n- various null checks and other small fixes from upstream\n- upstream changes for the renegotiation info according to the latest draft\n[1.0.0-0.16.beta4]\n- fix non-fips mingw build (patch by Kalev Lember)\n- add IPV6 fix for DTLS\n[1.0.0-0.15.beta4]\n- add better error reporting for the unsafe renegotiation\n[1.0.0-0.14.beta4]\n- fix build on s390x\n[1.0.0-0.13.beta4]\n- disable enforcement of the renegotiation extension on the client (#537962)\n- add fixes from the current upstream snapshot\n[1.0.0-0.12.beta4]\n- keep the beta status in version number at 3 so we do not have to rebuild\n openssh and possibly other dependencies with too strict version check\n[1.0.0-0.11.beta4]\n- update to new upstream version, no soname bump needed\n- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used\n so the compatibility with unfixed clients is not broken. The\n protocol extension is also not final.\n[1.0.0-0.10.beta3]\n- fix use of freed memory if SSL_CTX_free() is called before\n SSL_free() (#521342)\n[1.0.0-0.9.beta3]\n- fix typo in DTLS1 code (#527015)\n- fix leak in error handling of d2i_SSL_SESSION()\n[1.0.0-0.8.beta3]\n- fix RSA and DSA FIPS selftests\n- reenable fixed x86_64 camellia assembler code (#521127)\n[1.0.0-0.7.beta3]\n- temporarily disable x86_64 camellia assembler code (#521127)\n[1.0.0-0.6.beta3]\n- fix openssl dgst -dss1 (#520152)\n[1.0.0-0.5.beta3]\n- drop the compat symlink hacks\n[1.0.0-0.4.beta3]\n- constify SSL_CIPHER_description()\n[1.0.0-0.3.beta3]\n- fix WWW:Curl:Easy reference in tsget\n[1.0.0-0.2.beta3]\n- enable MD-2\n[1.0.0-0.1.beta3]\n- update to new major upstream release\n[0.9.8k-7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild\n* Wed Jul 22 2009 Bill Nottingham \n- do not build special 'optimized' versions for i686, as that's the base\n arch in Fedora now\n[0.9.8k-6]\n- abort if selftests failed and random number generator is polled\n- mention EVP_aes and EVP_sha2xx routines in the manpages\n- add README.FIPS\n- make CA dir absolute path (#445344)\n- change default length for RSA key generation to 2048 (#484101)\n[0.9.8k-5]\n- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379\n (DTLS DoS problems) (#501253, #501254, #501572)\n[0.9.8k-4]\n- support compatibility DTLS mode for CISCO AnyConnect (#464629)\n[0.9.8k-3]\n- correct the SHLIB_VERSION define\n[0.9.8k-2]\n- add support for multiple CRLs with same subject\n- load only dynamic engine support in FIPS mode\n[0.9.8k-1]\n- update to new upstream release (minor bug fixes, security\n fixes and machine code optimizations only)\n[0.9.8j-10]\n- move libraries to /usr/lib (#239375)\n[0.9.8j-9]\n- add a static subpackage\n[0.9.8j-8]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n[0.9.8j-7]\n- must also verify checksum of libssl.so in the FIPS mode\n- obtain the seed for FIPS rng directly from the kernel device\n- drop the temporary symlinks\n[0.9.8j-6]\n- drop the temporary triggerpostun and symlinking in post\n- fix the pkgconfig files and drop the unnecessary buildrequires\n on pkgconfig as it is a rpmbuild dependency (#481419)\n[0.9.8j-5]\n- add temporary triggerpostun to reinstate the symlinks\n[0.9.8j-4]\n- no pairwise key tests in non-fips mode (#479817)\n[0.9.8j-3]\n- even more robust test for the temporary symlinks\n[0.9.8j-2]\n- try to ensure the temporary symlinks exist\n[0.9.8j-1]\n- new upstream version with necessary soname bump (#455753)\n- temporarily provide symlink to old soname to make it possible to rebuild\n the dependent packages in rawhide\n- add eap-fast support (#428181)\n- add possibility to disable zlib by setting\n- add fips mode support for testing purposes\n- do not null dereference on some invalid smime files\n- add buildrequires pkgconfig (#479493)\n[0.9.8g-11]\n- do not add tls extensions to server hello for SSLv3 either\n[0.9.8g-10]\n- move root CA bundle to ca-certificates package\n[0.9.8g-9]\n- fix CVE-2008-0891 - server name extension crash (#448492)\n- fix CVE-2008-1672 - server key exchange message omit crash (#448495)\n[0.9.8g-8]\n- super-H arch support\n- drop workaround for bug 199604 as it should be fixed in gcc-4.3\n[0.9.8g-7]\n- sparc handling\n[0.9.8g-6]\n- update to new root CA bundle from mozilla.org (r1.45)\n[0.9.8g-5]\n- Autorebuild for GCC 4.3\n[0.9.8g-4]\n- merge review fixes (#226220)\n- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)\n[0.9.8g-3]\n- set default paths when no explicit paths are set (#418771)\n- do not add tls extensions to client hello for SSLv3 (#422081)\n[0.9.8g-2]\n- enable some new crypto algorithms and features\n- add some more important bug fixes from openssl CVS\n[0.9.8g-1]\n- update to latest upstream release, SONAME bumped to 7\n[0.9.8b-17]\n- update to new CA bundle from mozilla.org\n[0.9.8b-16]\n- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)\n- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)\n- add alpha sub-archs (#296031)\n[0.9.8b-15]\n- rebuild\n[0.9.8b-14]\n- use localhost in testsuite, hopefully fixes slow build in koji\n- CVE-2007-3108 - fix side channel attack on private keys (#250577)\n- make ssl session cache id matching strict (#233599)\n[0.9.8b-13]\n- allow building on ARM architectures (#245417)\n- use reference timestamps to prevent multilib conflicts (#218064)\n- -devel package must require pkgconfig (#241031)\n[0.9.8b-12]\n- detect duplicates in add_dir properly (#206346)\n[0.9.8b-11]\n- the previous change still didn't make X509_NAME_cmp transitive\n[0.9.8b-10]\n- make X509_NAME_cmp transitive otherwise certificate lookup\n is broken (#216050)\n[0.9.8b-9]\n- aliasing bug in engine loading, patch by IBM (#213216)\n[0.9.8b-8]\n- CVE-2006-2940 fix was incorrect (#208744)\n[0.9.8b-7]\n- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)\n- fix CVE-2006-2940 - parasitic public keys DoS (#207274)\n- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)\n- fix CVE-2006-4343 - sslv2 client DoS (#206940)\n[0.9.8b-6]\n- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)\n[0.9.8b-5]\n- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)\n patch by IBM\n[0.9.8b-4.1]\n- rebuild with new binutils (#200330)\n[0.9.8b-4]\n- add a temporary workaround for sha512 test failure on s390 (#199604)\n* Thu Jul 20 2006 Tomas Mraz \n- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)\n- add patches for BN threadsafety, AES cache collision attack hazard fix and\n pkcs7 code memleak fix from upstream CVS\n[0.9.8b-3.1]\n- rebuild\n[0.9.8b-3]\n- dropped libica and ica engine from build\n* Wed Jun 21 2006 Joe Orton \n- update to new CA bundle from mozilla.org; adds CA certificates\n from netlock.hu and startcom.org\n[0.9.8b-2]\n- fixed a few rpmlint warnings\n- better fix for #173399 from upstream\n- upstream fix for pkcs12\n[0.9.8b-1]\n- upgrade to new version, stays ABI compatible\n- there is no more linux/config.h (it was empty anyway)\n[0.9.8a-6]\n- fix stale open handles in libica (#177155)\n- fix build if 'rand' or 'passwd' in buildroot path (#178782)\n- initialize VIA Padlock engine (#186857)\n[0.9.8a-5.2]\n- bump again for double-long bug on ppc(64)\n[0.9.8a-5.1]\n- rebuilt for new gcc4.1 snapshot and glibc changes\n[0.9.8a-5]\n- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\n in SSL_OP_ALL (#175779)\n* Fri Dec 09 2005 Jesse Keating \n- rebuilt\n[0.9.8a-4]\n- fix build (-lcrypto was erroneusly dropped) of the updated libica\n- updated ICA engine to 1.3.6-rc3\n[0.9.8a-3]\n- disable builtin compression methods for now until they work\n properly (#173399)\n[0.9.8a-2]\n- don't set -rpath for openssl binary\n[0.9.8a-1]\n- new upstream version\n- patches partially renumbered\n[0.9.7f-11]\n- updated IBM ICA engine library and patch to latest upstream version\n[0.9.7f-10]\n- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which\n disables the countermeasure against man in the middle attack in SSLv2\n (#169863)\n- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)\n[0.9.7f-9]\n- add *.so.soversion as symlinks in /lib (#165264)\n- remove unpackaged symlinks (#159595)\n- fixes from upstream (constant time fixes for DSA,\n bn assembler div on ppc arch, initialize memory on realloc)\n[0.9.7f-8]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7f-7]\n- fix CAN-2005-0109 - use constant time/memory access mod_exp\n so bits of private key aren't leaked by cache eviction (#157631)\n- a few more fixes from upstream 0.9.7g\n[0.9.7f-6]\n- use poll instead of select in rand (#128285)\n- fix Makefile.certificate to point to /etc/pki/tls\n- change the default string mask in ASN1 to PrintableString+UTF8String\n[0.9.7f-5]\n- update to revision 1.37 of Mozilla CA bundle\n[0.9.7f-4]\n- move certificates to _sysconfdir/pki/tls (#143392)\n- move CA directories to _sysconfdir/pki/CA\n- patch the CA script and the default config so it points to the\n CA directories\n[0.9.7f-3]\n- uninitialized variable mustn't be used as input in inline\n assembly\n- reenable the x86_64 assembly again\n[0.9.7f-2]\n- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken\n- disable broken bignum assembly on x86_64\n[0.9.7f-1]\n- reenable optimizations on ppc64 and assembly code on ia64\n- upgrade to new upstream version (no soname bump needed)\n- disable thread test - it was testing the backport of the\n RSA blinding - no longer needed\n- added support for changing serial number to\n Makefile.certificate (#151188)\n- make ca-bundle.crt a config file (#118903)\n[0.9.7e-3]\n- libcrypto shouldn't depend on libkrb5 (#135961)\n[0.9.7e-2]\n- rebuild\n[0.9.7e-1]\n- new upstream source, updated patches\n- added patch so we are hopefully ABI compatible with upcoming\n 0.9.7f\n* Thu Feb 10 2005 Tomas Mraz \n- Support UTF-8 charset in the Makefile.certificate (#134944)\n- Added cmp to BuildPrereq\n[0.9.7a-46]\n- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)\n[0.9.7a-45]\n- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)\n[0.9.7a-44]\n- rebuild\n[0.9.7a-43]\n- rebuild\n[0.9.7a-42]\n- rebuild\n[0.9.7a-41]\n- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)\n[0.9.7a-40]\n- Include latest libica version with important bugfixes\n* Tue Jun 15 2004 Elliot Lee \n- rebuilt\n[0.9.7a-38]\n- Updated ICA engine IBM patch to latest upstream version.\n[0.9.7a-37]\n- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)\n[0.9.7a-36]\n- handle %{_arch}=i486/i586/i686/athlon cases in the intermediate\n header (#124303)\n[0.9.7a-35]\n- add security fixes for CAN-2004-0079, CAN-2004-0112\n* Tue Mar 16 2004 Phil Knirsch \n- Fixed libica filespec.\n[0.9.7a-34]\n- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix\n the intermediate header\n[0.9.7a-33]\n- add an intermediate \n which points to the right\n arch-specific opensslconf.h on multilib arches\n* Tue Mar 02 2004 Elliot Lee \n- rebuilt\n[0.9.7a-32]\n- Updated libica to latest upstream version 1.3.5.\n[0.9.7a-31]\n- Update ICA crypto engine patch from IBM to latest version.\n* Fri Feb 13 2004 Elliot Lee \n- rebuilt\n[0.9.7a-29]\n- rebuilt\n[0.9.7a-28]\n- Fixed libica build.\n* Wed Feb 04 2004 Nalin Dahyabhai \n- add '-ldl' to link flags added for Linux-on-ARM (#99313)\n[0.9.7a-27]\n- updated ca-bundle.crt: removed expired GeoTrust roots, added\n freessl.com root, removed trustcenter.de Class 0 root\n[0.9.7a-26]\n- Fix link line for libssl (bug #111154).\n[0.9.7a-25]\n- add dependency on zlib-devel for the -devel package, which depends on zlib\n symbols because we enable zlib for libssl (#102962)\n[0.9.7a-24]\n- Use /dev/urandom instead of PRNG for libica.\n- Apply libica-1.3.5 fix for /dev/urandom in icalinux.c\n- Use latest ICA engine patch from IBM.\n[0.9.7a-22.1]\n- rebuild\n[0.9.7a-22]\n- rebuild (22 wasn't actually built, fun eh?)\n[0.9.7a-23]\n- re-disable optimizations on ppc64\n* Tue Sep 30 2003 Joe Orton \n- add a_mbstr.c fix for 64-bit platforms from CVS\n[0.9.7a-22]\n- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged\n as not needing executable stacks\n[0.9.7a-21]\n- rebuild\n* Thu Sep 25 2003 Nalin Dahyabhai \n- re-enable optimizations on ppc64\n* Thu Sep 25 2003 Nalin Dahyabhai \n- remove exclusivearch\n[0.9.7a-20]\n- only parse a client cert if one was requested\n- temporarily exclusivearch for %{ix86}\n* Tue Sep 23 2003 Nalin Dahyabhai \n- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)\n and heap corruption (CAN-2003-0545)\n- update RHNS-CA-CERT files\n- ease back on the number of threads used in the threading test\n[0.9.7a-19]\n- rebuild to fix gzipped file md5sums (#91211)\n[0.9.7a-18]\n- Updated libica to version 1.3.4.\n[0.9.7a-17]\n- rebuild\n[0.9.7a-10.9]\n- free the kssl_ctx structure when we free an SSL structure (#99066)\n[0.9.7a-16]\n- rebuild\n[0.9.7a-15]\n- lower thread test count on s390x\n[0.9.7a-14]\n- rebuild\n[0.9.7a-13]\n- disable assembly on arches where it seems to conflict with threading\n[0.9.7a-12]\n- Updated libica to latest upstream version 1.3.0\n[0.9.7a-9.9]\n- rebuild\n[0.9.7a-11]\n- rebuild\n[0.9.7a-10]\n- ubsec: don't stomp on output data which might also be input data\n[0.9.7a-9]\n- temporarily disable optimizations on ppc64\n* Mon Jun 09 2003 Nalin Dahyabhai \n- backport fix for engine-used-for-everything from 0.9.7b\n- backport fix for prng not being seeded causing problems, also from 0.9.7b\n- add a check at build-time to ensure that RSA is thread-safe\n- keep perlpath from stomping on the libica configure scripts\n* Fri Jun 06 2003 Nalin Dahyabhai \n- thread-safety fix for RSA blinding\n[0.9.7a-8]\n- rebuilt\n[0.9.7a-7]\n- Added libica-1.2 to openssl (featurerequest).\n[0.9.7a-6]\n- fix building with incorrect flags on ppc64\n[0.9.7a-5]\n- add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's\n attack (CAN-2003-0131)\n[ 0.9.7a-4]\n- add patch to enable RSA blinding by default, closing a timing attack\n (CAN-2003-0147)\n[0.9.7a-3]\n- disable use of BN assembly module on x86_64, but continue to allow inline\n assembly (#83403)\n[0.9.7a-2]\n- disable EC algorithms\n[0.9.7a-1]\n- update to 0.9.7a\n[0.9.7-8]\n- add fix to guard against attempts to allocate negative amounts of memory\n- add patch for CAN-2003-0078, fixing a timing attack\n[0.9.7-7]\n- Add openssl-ppc64.patch\n[0.9.7-6]\n- EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),\n to get the right behavior when passed uninitialized context structures\n (#83766)\n- build with -mcpu=ev5 on alpha family (#83828)\n* Wed Jan 22 2003 Tim Powers \n- rebuilt\n[0.9.7-4]\n- Added IBM hw crypto support patch.\n* Wed Jan 15 2003 Nalin Dahyabhai \n- add missing builddep on sed\n[0.9.7-3]\n- debloat\n- fix broken manpage symlinks\n[0.9.7-2]\n- fix double-free in 'openssl ca'\n[0.9.7-1]\n- update to 0.9.7 final\n[0.9.7-0]\n- update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n* Wed Dec 11 2002 Nalin Dahyabhai \n- update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)\n[0.9.6b-30]\n- add configuration stanza for x86_64 and use it on x86_64\n- build for linux-ppc on ppc\n- start running the self-tests again\n[0.9.6b-29hammer.3]\n- Merge fixes from previous hammer packages, including general x86-64 and\n multilib\n[0.9.6b-29]\n- rebuild\n[0.9.6b-28]\n- update asn patch to fix accidental reversal of a logic check\n[0.9.6b-27]\n- update asn patch to reduce chance that compiler optimization will remove\n one of the added tests\n[0.9.6b-26]\n- rebuild\n[0.9.6b-25]\n- add patch to fix ASN.1 vulnerabilities\n[0.9.6b-24]\n- add backport of Ben Laurie's patches for OpenSSL 0.9.6d\n[0.9.6b-23]\n- own {_datadir}/ssl/misc\n* Fri Jun 21 2002 Tim Powers \n- automated rebuild\n* Sun May 26 2002 Tim Powers \n- automated rebuild\n[0.9.6b-20]\n- free ride through the build system (whee!)\n[0.9.6b-19]\n- rebuild in new environment\n[0.9.6b-17, 0.9.6b-18]\n- merge RHL-specific bits into stronghold package, rename\n[stronghold-0.9.6c-2]\n- add support for Chrysalis Luna token\n* Tue Mar 26 2002 Gary Benson \n- disable AEP random number generation, other AEP fixes\n[0.9.6b-15]\n- only build subpackages on primary arches\n[0.9.6b-13]\n- on ia32, only disable use of assembler on i386\n- enable assembly on ia64\n[0.9.6b-11]\n- fix sparcv9 entry\n[stronghold-0.9.6c-1]\n- upgrade to 0.9.6c\n- bump BuildArch to i686 and enable assembler on all platforms\n- synchronise with shrimpy and rawhide\n- bump soversion to 3\n* Wed Oct 10 2001 Florian La Roche \n- delete BN_LLONG for s390x, patch from Oliver Paukstadt\n[0.9.6b-9]\n- update AEP driver patch\n* Mon Sep 10 2001 Nalin Dahyabhai \n- adjust RNG disabling patch to match version of patch from Broadcom\n[0.9.6b-8]\n- disable the RNG in the ubsec engine driver\n[0.9.6b-7]\n- tweaks to the ubsec engine driver\n[0.9.6b-6]\n- tweaks to the ubsec engine driver\n[0.9.6b-5]\n- update ubsec engine driver from Broadcom\n[0.9.6b-4]\n- move man pages back to %{_mandir}/man?/foo.?ssl from\n %{_mandir}/man?ssl/foo.?\n- add an [ engine ] section to the default configuration file\n* Thu Aug 09 2001 Nalin Dahyabhai \n- add a patch for selecting a default engine in SSL_library_init()\n[0.9.6b-3]\n- add patches for AEP hardware support\n- add patch to keep trying when we fail to load a cert from a file and\n there are more in the file\n- add missing prototype for ENGINE_ubsec() in engine_int.h\n[0.9.6b-2]\n- actually add hw_ubsec to the engine list\n* Tue Jul 17 2001 Nalin Dahyabhai \n- add in the hw_ubsec driver from CVS\n[0.9.6b-1]\n- update to 0.9.6b\n* Thu Jul 05 2001 Nalin Dahyabhai \n- move .so symlinks back to %{_libdir}\n* Tue Jul 03 2001 Nalin Dahyabhai \n- move shared libraries to /lib (#38410)\n* Mon Jun 25 2001 Nalin Dahyabhai \n- switch to engine code base\n* Mon Jun 18 2001 Nalin Dahyabhai \n- add a script for creating dummy certificates\n- move man pages from %{_mandir}/man?/foo.?ssl to %{_mandir}/man?ssl/foo.?\n* Thu Jun 07 2001 Florian La Roche \n- add s390x support\n* Fri Jun 01 2001 Nalin Dahyabhai \n- change two memcpy() calls to memmove()\n- don't define L_ENDIAN on alpha\n[stronghold-0.9.6a-1]\n- Add 'stronghold-' prefix to package names.\n- Obsolete standard openssl packages.\n* Wed May 16 2001 Joe Orton \n- Add BuildArch: i586 as per Nalin's advice.\n* Tue May 15 2001 Joe Orton \n- Enable assembler on ix86 (using new .tar.bz2 which does\n include the asm directories).\n* Tue May 15 2001 Nalin Dahyabhai \n- make subpackages depend on the main package\n* Tue May 01 2001 Nalin Dahyabhai \n- adjust the hobble script to not disturb symlinks in include/ (fix from\n Joe Orton)\n* Fri Apr 27 2001 Nalin Dahyabhai \n- drop the m2crypo patch we weren't using\n* Tue Apr 24 2001 Nalin Dahyabhai \n- configure using 'shared' as well\n* Sun Apr 08 2001 Nalin Dahyabhai \n- update to 0.9.6a\n- use the build-shared target to build shared libraries\n- bump the soversion to 2 because we're no longer compatible with\n our 0.9.5a packages or our 0.9.6 packages\n- drop the patch for making rsatest a no-op when rsa null support is used\n- put all man pages into \nssl instead of \n- break the m2crypto modules into a separate package\n* Tue Mar 13 2001 Nalin Dahyabhai \n- use BN_LLONG on s390\n* Mon Mar 12 2001 Nalin Dahyabhai \n- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)\n* Sat Mar 03 2001 Nalin Dahyabhai \n- move c_rehash to the perl subpackage, because it's a perl script now\n* Fri Mar 02 2001 Nalin Dahyabhai \n- update to 0.9.6\n- enable MD2\n- use the libcrypto.so and libssl.so targets to build shared libs with\n- bump the soversion to 1 because we're no longer compatible with any of\n the various 0.9.5a packages circulating around, which provide lib*.so.0\n* Wed Feb 28 2001 Florian La Roche \n- change hobble-openssl for disabling MD2 again\n* Tue Feb 27 2001 Nalin Dahyabhai \n- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152\n bytes or so, causing EVP_DigestInit() to zero out stack variables in\n apps built against a version of the library without it\n* Mon Feb 26 2001 Nalin Dahyabhai \n- disable some inline assembly, which on x86 is Pentium-specific\n- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)\n* Thu Feb 08 2001 Florian La Roche \n- fix s390 patch\n* Fri Dec 08 2000 Than Ngo \n- added support s390\n* Mon Nov 20 2000 Nalin Dahyabhai \n- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)\n- add the CA.pl man page to the perl subpackage\n* Thu Nov 02 2000 Nalin Dahyabhai \n- always build with -mcpu=ev5 on alpha\n* Tue Oct 31 2000 Nalin Dahyabhai \n- add a symlink from cert.pem to ca-bundle.crt\n* Wed Oct 25 2000 Nalin Dahyabhai \n- add a ca-bundle file for packages like Samba to reference for CA certificates\n* Tue Oct 24 2000 Nalin Dahyabhai \n- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)\n* Mon Oct 02 2000 Nalin Dahyabhai \n- add unzip as a buildprereq (#17662)\n- update m2crypto to 0.05-snap4\n* Tue Sep 26 2000 Bill Nottingham \n- fix some issues in building when it's not installed\n* Wed Sep 06 2000 Nalin Dahyabhai \n- make sure the headers we include are the ones we built with (aaaaarrgh!)\n* Fri Sep 01 2000 Nalin Dahyabhai \n- add Richard Henderson's patch for BN on ia64\n- clean up the changelog\n* Tue Aug 29 2000 Nalin Dahyabhai \n- fix the building of python modules without openssl-devel already installed\n* Wed Aug 23 2000 Nalin Dahyabhai \n- byte-compile python extensions without the build-root\n- adjust the makefile to not remove temporary files (like .key files when\n building .csr files) by marking them as .PRECIOUS\n* Sat Aug 19 2000 Nalin Dahyabhai \n- break out python extensions into a subpackage\n* Mon Jul 17 2000 Nalin Dahyabhai \n- tweak the makefile some more\n* Tue Jul 11 2000 Nalin Dahyabhai \n- disable MD2 support\n* Thu Jul 06 2000 Nalin Dahyabhai \n- disable MDC2 support\n* Sun Jul 02 2000 Nalin Dahyabhai \n- tweak the disabling of RC5, IDEA support\n- tweak the makefile\n* Thu Jun 29 2000 Nalin Dahyabhai \n- strip binaries and libraries\n- rework certificate makefile to have the right parts for Apache\n* Wed Jun 28 2000 Nalin Dahyabhai \n- use %{_perl} instead of /usr/bin/perl\n- disable alpha until it passes its own test suite\n* Fri Jun 09 2000 Nalin Dahyabhai \n- move the passwd.1 man page out of the passwd package's way\n* Fri Jun 02 2000 Nalin Dahyabhai \n- update to 0.9.5a, modified for U.S.\n- add perl as a build-time requirement\n- move certificate makefile to another package\n- disable RC5, IDEA, RSA support\n- remove optimizations for now\n* Wed Mar 01 2000 Florian La Roche \n- Bero told me to move the Makefile into this package\n* Wed Mar 01 2000 Florian La Roche \n- add lib*.so symlinks to link dynamically against shared libs\n* Tue Feb 29 2000 Florian La Roche \n- update to 0.9.5\n- run ldconfig directly in post/postun\n- add FAQ\n* Sat Dec 18 1999 Bernhard Rosenkrdnzer \n- Fix build on non-x86 platforms\n* Fri Nov 12 1999 Bernhard Rosenkrdnzer \n- move /usr/share/ssl/* from -devel to main package\n* Tue Oct 26 1999 Bernhard Rosenkrdnzer \n- inital packaging\n- changes from base:\n - Move /usr/local/ssl to /usr/share/ssl for FHS compliance\n - handle RPM_OPT_FLAGS", "modified": "2019-08-16T00:00:00", "published": "2019-08-16T00:00:00", "id": "ELSA-2019-4747", "href": "http://linux.oracle.com/errata/ELSA-2019-4747.html", "title": "openssl security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}