SB2012051603 - SUSE Linux update for openssl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012051603

SB2012051603 - SUSE Linux update for openssl

Published: May 16, 2012

Security Bulletin ID SB2012051603
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2012-2110)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.


2) Input validation error (CVE-ID: CVE-2012-2131)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.


Remediation

Install update from vendor's website.

References