[ISN] Open-source group plugs three holes

From: InfoSec News (isn@private)
Date: Thu Oct 02 2003 - 02:46:09 PDT

  • Next message: InfoSec News: "[ISN] REVIEW: "Intrusion Signatures and Analysis", Stephen Northcutt et al"

    http://news.com.com/2100-1002_3-5085327.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    October 1, 2003
    
    An open-source group that maintains software for securing
    communications released a patch on Tuesday to fix several
    vulnerabilities that were found during a security test by the U.K.  
    government.
    
    The security flaws exist in the OpenSSL Project's version of the
    secure sockets layer (SSL) software used by Web sites and browsers to
    cryptographically secure data. Two of the flaws could lead to a
    denial-of-service attack, and a third may allow an attacker to break
    into a system from the Internet.
    
    The flaws were found when the U.K. government put the software through
    rigorous testing, said Mark Cox, a developer on the OpenSSL security
    team.
    
    "We certainly know of no exploits yet," he said. "These were found by
    the good guys."
    
    Not to be confused with the OpenSSH project--SSH stands for secure
    shell--which has patched its software twice in the last month, the
    OpenSSL Project develops and maintains an open-source version of SSL
    software. A year ago, the Slapper worm infected Linux computers that
    hadn't been patched to fix a different hole in the same software.
    
    Cox said that a specially crafted digital certificate could crash the
    OpenSSL software through either of two flaws, causing a
    denial-of-service attack. The third flaw could result in a security
    hole that could allow online vandals to attack a server or enable a
    worm to spread. All versions of OpenSSL, up to and including 0.9.6j
    and 0.9.7b, are affected, according to an advisory issued by the
    group.
    
    So far, most Linux distributors, including Red Hat and SuSE, have
    released patches for the flaws. Cisco Systems also has released
    patches. The networking gear maker uses the software in a number of
    its products.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 05:42:36 PDT