OpenSSL: Multiple Vulnerabilities

Users of OpenSSL please be advised of multiple vulnerabilities that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

FreeBSD-SA-10:10.openssl: [FreeBSD-SA-10:10] OpenSSL multiple vulnerabilities
I. Problem Description

A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism. The race condition can lead to

a buffer overflow. [CVE-2010-3864]

A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime

numbers. [CVE-2010-2939]
II. Impact

For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run

arbitrary code with the privileges of the application. [CVE-2010-3864].

It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.

[CVE-2010-2939]

Read more at http://www.criticalwatch.com

 

Advertisements