OpenSSL Security Advisory [25-Mar-2009](情報元のブックマーク数)
OpenSSLにセキュリティアドバイザリが出ているとの事。OpenSSL 0.9.8kで修正されているとの事。
ASN1 printing crash
===================The function ASN1_STRING_print_ex() when used to print a BMPString or
UniversalString will crash with an invalid memory access if the encoded length
of the string is illegal. (CVE-2009-0590)Any OpenSSL application which prints out the contents of a certificate could
be affected by this bug, including SSL servers, clients and S/MIME software.Users of OpenSSL 0.9.8j or earlier should update to 0.9.8k which contains a
patch to correct this issue.Incorrect Error Checking During CMS verification.
=================================================The function CMS_verify() does not correctly handle an error condition
involving malformed signed attributes. This will cause an invalid set
of signed attributes to appear valid and content digests will not be
checked. (CVE-2009-0591)These malformed attributes cannot be generated without access to he signer's
private key so an attacker cannot forge signatures. A valid signer could
however generate an invalid signature which appears valid and later repudiate
the signature.The older PKCS#7 code is not affected.
This issue only affects CMS users: CMS is only present in OpenSSL 0.9.8h and
later where it is disabled by default and 0.9.9-dev.Users of OpenSSL CMS code should update to 0.9.8k which contains a patch
to correct this issue.Thanks to Ivan Nestlerode of IBM for reporting this issue.
Invalid ASN1 clearing check
===========================When a malformed ASN1 structure is received it's contents are freed up and
zeroed and an error condition returned. On a small number of platforms where
sizeof(long) < sizeof(void *) (for example WIN64) this can cause an invalid
memory access later resulting in a crash when some invalid structures are
read, for example RSA public keys (CVE-2009-0789).Any OpenSSL application which uses the public key of an untrusted certificate
could be crashed by a malformed structure. Including SSL servers, clients,
CA and S/MIME software.Users of OpenSSL 0.9.8j or earlier on affected platforms should update to
0.9.8k which contains a patch to correct this issue.Thanks to Paolo Ganci for reporting this issue.
http://www.openssl.org/news/secadv_20090325.txt
