Showing 1 - 1 of 1

Files

OpenSSL Security Advisory 07-Jan-2009: Posted Jan 7, 2009; Site openssl.org; Several functions inside OpenSSL incorrectly checked the result aftercalling the EVP_VerifyFinal function, allowing a malformed signatureto be treated as a good signature rather than as an error. This issueaffected the signature checks on DSA and ECDSA keys used withSSL/TLS.One way to exploit this flaw would be for a remote attacker who is incontrol of a malicious server or who can use a 'man in the middle'attack to present a malformed SSL/TLS signature from a certificate chainto a vulnerable client, bypassing validation.; tags | advisory, remote; advisories | CVE-2008-5077; SHA-256 | 8dbd38114d5639253aa0620ba251aa5bd0a44e9f411e34da95345184528fc4df; Download | Favorite | View

Related Files

Open Source CERT Security Advisory 2008.16: Posted Jan 7, 2009; Authored by Will Drewry, Open Source CERT | Site ocert.org; Several functions inside the OpenSSL library incorrectly check the result after calling the EVP_VerifyFinal function. This bug allows a malformed signature to be treated as a good signature rather than as an error. This issue affects the signature checks on DSA and ECDSA keys used with SSL/TLS. The flaw may be exploited by a malicious server or a man-in-the-middle attack that presents a malformed SSL/TLS signature from a certificate chain to a vulnerable client, bypassing validation.; tags | advisory; advisories | CVE-2008-5077, CVE-2008-0021, CVE-2008-0025; SHA-256 | f5724c1eba1778218b03f1b5af75356b08e95a08bbe2b92274df7f31dea9d59a; Download | Favorite | View

Page 1 of 1 Back 1 Next