Detections
Analytics

Debian DSA-393-1 : openssl - denial of service

medium Nessus Plugin ID 15230

Synopsis

The remote Debian host is missing a security-related update.

Description

Dr. Stephen Henson (), using a test suite provided by NISCC (), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability.
However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.

Solution

For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4.

We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect.

See Also

http://www.debian.org/security/2003/dsa-393

Plugin Details

Severity: Medium

ID: 15230

File Name: debian_DSA-393.nasl

Version: 1.30

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:openssl, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/1/2003

Vulnerability Publication Date: 7/14/2003

Reference Information

CVE: CVE-2003-0543, CVE-2003-0544

BID: 8732

DSA: 393