[ISN] Fixes are in for OpenSSL

From: InfoSec News (isn@private)
Date: Thu Mar 18 2004 - 00:31:41 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--Intrusion Prevention Systems--March 17, 2004"

    http://zdnet.com.com/2100-1105-5174911.html
    
    By Robert Lemos 
    CNET News.com
    March 17, 2004
    
    The group behind OpenSSL, a widely used open-source Web security
    program, released two patches for security flaws to block potential
    denial-of-service attacks, the organization's developers said on
    Wednesday.
    
    The flaws affect more than Linux systems that have the software
    installed. They could also hobble many routers and network devices
    that incorporate the software. Cisco Systems released an advisory on
    Wednesday, saying its PIX firewall devices and some routers could be
    affected.
    
    OpenSSL is an open implementation of Secure Sockets Layer (SSL)  
    encryption, which is used by almost all Web browsers as a way to
    secure data that travels over the public Internet. The software also
    forms the basis of a popular component of the Apache Web server, which
    accounts for more than two-thirds of the servers on the Internet.
    
    The flaws don't give an attacker the opportunity to take control of a
    computer or a device, but they do create the possibility for specially
    crafted data to crash the software. Such a denial-of-service attack
    could stop users from logging in to a server and prevent
    administrators from managing network devices. In some cases, the flaws
    will crash the device, causing wider network outages, according to
    several advisories.
    
    A survey conducted last November found that nearly half of the Web
    servers involved in the study ran a version of OpenSSL that hadn't
    been recently patched. A flaw in the Web server component based of
    OpenSSL was responsible for allowing the Linux Slapper worm to spread
    in September 2002.
    
    Red Hat and Novell's SuSE Linux subsidiary both ship Linux systems
    that incorporate OpenSSL.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 18 2004 - 02:49:20 PST