Bouncycastle OpenSSL畸形ASN.1结构处理拒绝服务漏洞

漏洞信息详情

Bouncycastle OpenSSL畸形ASN.1结构处理拒绝服务漏洞

• CNNVD编号：CNNVD-200903-494
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2007-6721
  
• 漏洞类型：
  
  
  资料不足
  
• 发布时间：
  
  2001-10-16
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2009-03-30
  
• 厂        商：
  
  bouncycastle
• 漏洞来源：
  Dr. S. N. Henson N…

OpenSSL是OpenSSL团队开发的一个开源的能够实现安全套接层（SSL v2/v3）和安全传输层（TLS v1）协议的通用加密库，它支持多种加密算法，包括对称密码、哈希算法、安全散列算法等。

OpenSSL的协议处理实现上存在漏洞，远程攻击者可能利用此漏洞在服务器执行拒绝服务攻击。

在解析某些无效的ASN.1结构时OpenSSL可能没有正确地处理出错情况，导致死循环。通过触发这个死循环，攻击者可能导致拒绝服务。

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Debian

Debian已经为此发布了一个安全公告(DSA-1185-1)以及相应补丁:

DSA-1185-1：New openssl packages fix denial of service

链接：http://www.debian.org/security/2005/dsa-1185

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb

AMD64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb

Intel IA-32 architecture:

ebian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb

Motorola 680×0 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb

来源: MLIST

名称: [dev-crypto] 20071109 Bouncy Castle Crypto Provider Package version 1.36 now available

链接: http://www.bouncycastle.org/devmailarchive/msg08195.html

来源: www.bouncycastle.org

链接: http://www.bouncycastle.org/csharp/

来源: OSVDB

名称: 50360

链接: http://www.osvdb.org/50360

来源: OSVDB

名称: 50359

链接: http://www.osvdb.org/50359

来源: OSVDB

名称: 50358

链接: http://www.osvdb.org/50358

来源: www.bouncycastle.org

链接: http://www.bouncycastle.org/releasenotes.html

来源: freshmeat.net

链接: http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580