OpenSSL CVE-2008-5077: Incorrect checks for malformed signatures

Tags: OpenBSD

    Some exploitable logic errors have been discovered in OpenSSL versions prior to 0.9.8j.
    These errors may permit an attacker to bypass validation of DSA/ECDSA certificates and
    conduct a "man in the middle attack" against SSL/TLS connection that use them.
    Fortunately, DSA and ECDSA certificates appear to be rarely used in practice.

    This vulnerability has been designated CVE-2008-5077.
    More information is available from the OpenSSL project at:

        http://www.openssl.org/news/secadv_20090107.txt

    Source code patches are available for OpenBSD 4.3 and 4.4. -current has been updated to OpenSSL 0.9.8j

    Patch for OpenBSD 4.3:

        ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch

    Patch for OpenBSD 4.4:

        ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch

    These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4 stable CVS branches.

Thanks Damien for the update. Start your patching!


from OpenBSD Journal

No Comments 2009-01-11 17:35:25 by No.0023

Comments:

You can leave a comment on this post if you login