-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0056
 
Title: OpenSSL Security Advisory - ASN1 BIO vulnerability[1]
 
Version history:
20.04.2012 Initial publication

Summary
=======
A potentially exploitable vulnerability has been discovered in the OpenSSL function asn1_d2i_read_bio.
Incorrect integer conversions in OpenSSL can result in memory corruption.[3]


CVE-2012-2110
CVSS v2 Base Score:7.5 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:P) [2,4]

Vulnerable systems
==================

Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. 
Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp.[1]

What can you do?
================

Affected users should upgrade to OpenSSL 1.0.1a, 1.0.0i or 0.9.8v.

What to tell your users?
========================
N/A

More information
================
[1] http://www.openssl.org/news/secadv_20120419.txt
[2] https://access.redhat.com/security/cve/CVE-2012-2110
[3] http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html
[4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html


Best regards,
CERT-EU
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383

(DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best 
effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject 
to change in the future. Contact information or even the team name may change as well.)


-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJPkVS3OhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NJshAApqkhNEFd
OUes+8hPmCQUzygPJBUpj5ur0pRuUOAzzv95N7zU4DTlryJUxTxMHPEfXA/kfad+
t9i5XEVHrZO2jQyWfUTxQDaG6SaYVQl+y053q43ySJ/nA6kE6m9brluIQDMcaqoF
tMc5Z2pPO6RfuWotSNdkr2TEBKnUYYzK06Gb+vm1uY6Ky9Z2N/mpder/onQ66AXc
beW9AlswPdjQjwmSrw+sEVseGn/lAbFQc66DfafuWlaakkJzCRIWQ8osd8E58A9w
fmvKy3c86NC4cqIeRSXdwOuF2ctMKBcRlPF9oLd9+u+25hUmZjALpxXYkDMQrPwO
PvCfea4BaHM4Dtk/88R+woKl7GhzktV3XmO1zBYBFxQMkxCouUogG1zt4SyNgzZj
aGBb2rCWJFspEk2MUvNy3yG1v1PCGa2ljNjVReJHcajAD0j5InKDdFc5wIFHoQWL
dENiofIM+XPpxjF8S0ZSi9C53NSzA3PhfAxaBsaf5EJK83RUBvhEn45qM1Qf0TCY
ZeU1wSOYCekQrZf+gcHQiBVPK39rfnTUE8Y+NcDccXpI+Gp4EnOT9dgSKaq9R26H
Xqrr0KTnyux/MGG2/g+Uy/VGWxI3fsEMxOMyO0spybix8wSrzUZIkzZfapksC3Hb
E7NNeUsSuNyVxHEmm6yQSaX7BJ77j5u0C88=
=xZbL
-----END PGP SIGNATURE-----