From: CERT-EU Sent: mardi 24 janvier 2012 12:16 Cc: CERT-EU Subject: Vulnerability in OpenSSL in DTLS applications Follow Up Flag: Follow up Flag Status: Yellow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0006 Title: Vulnerability in OpenSSL in DTLS applications [1] Version history: 24.01.2012 Initial publication Summary ======= OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108. CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) [2] Remote: Yes Credibility: Vendor Confirmed Complexity: Low Vulnerable systems ================== Only DTLS applications using OpenSSL 1.0.0f and 0.9.8s are affected. What can you do? ================ Affected users should upgrade to OpenSSL 1.0.0g or 0.9.8t. Updates for the generic OpenSSL packages are available; please refer to your vendor, Linux distributor, etc. for an update of your flavour of the software. What to tell your users? ======================== N/A More information ================ [1] http://www.openssl.org/news/secadv_20120118.txt [2] http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2 [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPHpJmOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4PFHw//fcZJZNIK qzUgS4s3NrM9tIvbeMxNbsv0mNDUti/x29rpQBY+LvUdQmg2PUNVZLYhA0y1trYq I6vEqQ4GRbntFJUDs5dDtNdNTP0B4iz/HyVVetLwNcQ0X9Zi0hjoNudjFYWG4Y8e SiWAWLG6qZcNW9x/UYR0akTL3vOytqYIBnubYp37f0foyD08cyll60Id9SIUeZpB YmU7TTUtyie7RmpO45GhTAeE9jJChXW2G8URVV/LcJcH495J20O3FOCr9hEvu+DM ed4d/bSOHJeU5xXxX7WLJWJYG2EB3rheLiaCO2o2CtxLDULijPeaegdK3xnKthEx b+v+PEEMIk98OC6Spq4i8QMT3W3cl/kn3PHNReO/OYA85EwQTFrhwqStLbu+CGuA 2P9oUrI8IkKvcWSRhh8yTqv89ZmlHA6rvLkKF5ak0Pm7rC6k4pgMrOicYJ4I6UzW 5TaPk1E3rdS0MP5AZCnLy6GY8UoPOcf5uNMWkF9Kg506RqZ66ZN+6yMUV0VYFrcH T3uuTMiaPtj+Mn2Snj7Sm7+Vtfm4dlR4IQwKap+dJ6W+X3i9HOF4XIFcaFRCm5uC WLMxFonPyxeU/Wkm0IDnCFaxy5t//mimoyZfwEXTsxly8tdNRMTruetMtebFjLIH oPHP7TUGYZk3t0yZYhTlOzhvqE2vnFwVwgg= =upTf -----END PGP SIGNATURE-----