rpm package
opensuse/openssl-1_1&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/openssl-1_1&distro=openSUSE%20Tumbleweed
Vulnerabilities (157)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2009-1386 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Jun 4, 2009 | ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. | ||
| CVE-2009-1379 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | May 19, 2009 | Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a | ||
| CVE-2009-1378 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | May 19, 2009 | Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much | ||
| CVE-2009-1377 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | May 19, 2009 | The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitati | ||
| CVE-2009-0789 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Mar 27, 2009 | OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, | ||
| CVE-2009-0591 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Mar 27, 2009 | The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. | ||
| CVE-2009-0590 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Mar 27, 2009 | The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. | ||
| CVE-2008-5077 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Jan 7, 2009 | OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. | ||
| CVE-2008-1672 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | May 29, 2008 | OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference. | ||
| CVE-2008-0891 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | May 29, 2008 | Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information. | ||
| CVE-2007-5135 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 27, 2007 | Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a | ||
| CVE-2007-3108 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Aug 8, 2007 | The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. | ||
| CVE-2006-4343 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 28, 2006 | The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. | ||
| CVE-2006-3738 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 28, 2006 | Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. | ||
| CVE-2006-2940 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 28, 2006 | OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to proces | ||
| CVE-2006-2937 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 28, 2006 | OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. | ||
| CVE-2006-4339 | — | < 1.1.1l-1.2 | 1.1.1l-1.2 | Sep 5, 2006 | OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from cor |
- CVE-2009-1386Jun 4, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.
- CVE-2009-1379May 19, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a
- CVE-2009-1378May 19, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much
- CVE-2009-1377May 19, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitati
- CVE-2009-0789Mar 27, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate,
- CVE-2009-0591Mar 27, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.
- CVE-2009-0590Mar 27, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.
- CVE-2008-5077Jan 7, 2009affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
- CVE-2008-1672May 29, 2008affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference.
- CVE-2008-0891May 29, 2008affected < 1.1.1l-1.2fixed 1.1.1l-1.2
Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.
- CVE-2007-5135Sep 27, 2007affected < 1.1.1l-1.2fixed 1.1.1l-1.2
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a
- CVE-2007-3108Aug 8, 2007affected < 1.1.1l-1.2fixed 1.1.1l-1.2
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.
- CVE-2006-4343Sep 28, 2006affected < 1.1.1l-1.2fixed 1.1.1l-1.2
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
- CVE-2006-3738Sep 28, 2006affected < 1.1.1l-1.2fixed 1.1.1l-1.2
Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers.
- CVE-2006-2940Sep 28, 2006affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to proces
- CVE-2006-2937Sep 28, 2006affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
- CVE-2006-4339Sep 5, 2006affected < 1.1.1l-1.2fixed 1.1.1l-1.2
OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from cor
Page 8 of 8