Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200510-11 ] OpenSSL: SSL 2.0 protocol rollback
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Wed Oct 12, 2005 12:06 pm    Post subject: [ GLSA 200510-11 ] OpenSSL: SSL 2.0 protocol rollback Reply with quote

Gentoo Linux Security Advisory

Title: OpenSSL: SSL 2.0 protocol rollback (GLSA 200510-11)
Severity: low
Exploitable: remote
Date: October 12, 2005
Updated: November 07, 2005
Bug(s): #108852
ID: 200510-11

Synopsis


When using a specific option, OpenSSL can be forced to fallback to the less
secure SSL 2.0 protocol.


Background


OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport
Layer Security protocols and a general-purpose cryptography library.


Affected Packages

Package: dev-libs/openssl
Vulnerable: < 0.9.7h
Unaffected: >= 0.9.7h
Unaffected: >= 0.9.7g-r1 < 0.9.8
Unaffected: >= 0.9.7e-r2 < 0.9.8
Architectures: All supported architectures


Description


Applications setting the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or the
SSL_OP_ALL option, that implies it) can be forced by a third-party to
fallback to the less secure SSL 2.0 protocol, even if both parties
support the more secure SSL 3.0 or TLS 1.0 protocols.


Impact


A man-in-the-middle attacker can weaken the encryption used to
communicate between two parties, potentially revealing sensitive
information.


Workaround


If possible, disable the use of SSL 2.0 in all OpenSSL-enabled
applications.


Resolution


All OpenSSL users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose dev-libs/openssl


References

CAN-2005-2969
[url=http://www.openssl.org/news/secadv_20051011.txt ]OpenSSL security advisory[/url]


Last edited by GLSA on Wed Jan 14, 2015 4:20 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum