CVE-2003-0131
CVSS7.5
发布时间 :2003-03-24 00:00:00
修订时间 :2016-11-28 14:06:23
NMCOS    

[原文]The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack."


[CNNVD]OpenSSL错误版本数据库旁路攻击法漏洞(CNNVD-200303-076)

        OpenSSL 0.9.6i及其更早版本以及0.9.7和0.9.7a版本的SSL和TLS组件存在漏洞。远程攻击者可以借助改进的Bleichenbacher攻击执行未认证RSA私钥操作,该攻击使用了大量PKCS #1 v1.5填充的SSL或TLS连接,可能导致OpenSSL泄露密文和相关纯文本之间的消息,也称为“Klima-Pokorny-Rosa attack”。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:openssl:openssl:0.9.6eOpenSSL Project OpenSSL 0.9.6e
cpe:/a:openssl:openssl:0.9.6dOpenSSL Project OpenSSL 0.9.6d
cpe:/a:openssl:openssl:0.9.6cOpenSSL Project OpenSSL 0.9.6c
cpe:/a:openssl:openssl:0.9.6aOpenSSL Project OpenSSL 0.9.6a
cpe:/a:openssl:openssl:0.9.7aOpenSSL Project OpenSSL 0.9.7a
cpe:/a:openssl:openssl:0.9.6OpenSSL Project OpenSSL 0.9.6
cpe:/a:openssl:openssl:0.9.6bOpenSSL Project OpenSSL 0.9.6b
cpe:/a:openssl:openssl:0.9.6iOpenSSL Project OpenSSL 0.9.6i
cpe:/a:openssl:openssl:0.9.6hOpenSSL Project OpenSSL 0.9.6h
cpe:/a:openssl:openssl:0.9.6gOpenSSL Project OpenSSL 0.9.6g
cpe:/a:openssl:openssl:0.9.7OpenSSL Project OpenSSL 0.9.7

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:461Klima-Pokorny-Rosa Attack Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0131
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0131
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-076
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-007
ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-014.0.txt
(UNKNOWN)  CALDERA  CSSA-2003-014.0
ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
(UNKNOWN)  SGI  20030501-01-I
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625
(UNKNOWN)  CONECTIVA  CLA-2003:625
http://eprint.iacr.org/2003/052/
(VENDOR_ADVISORY)  MISC  http://eprint.iacr.org/2003/052/
http://lists.apple.com/mhonarc/security-announce/msg00028.html
(UNKNOWN)  CONFIRM  http://lists.apple.com/mhonarc/security-announce/msg00028.html
http://marc.info/?l=bugtraq&m=104811162730834&w=2
(UNKNOWN)  BUGTRAQ  20030319 [OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding
http://marc.info/?l=bugtraq&m=104852637112330&w=2
(UNKNOWN)  BUGTRAQ  20030324 GLSA: openssl (200303-20)
http://marc.info/?l=bugtraq&m=104878215721135&w=2
(UNKNOWN)  TRUSTIX  2003-0013
http://www.debian.org/security/2003/dsa-288
(UNKNOWN)  DEBIAN  DSA-288
http://www.gentoo.org/security/en/glsa/glsa-200303-20.xml
(UNKNOWN)  GENTOO  GLSA-200303-20
http://www.kb.cert.org/vuls/id/888801
(VENDOR_ADVISORY)  CERT-VN  VU#888801
http://www.mandriva.com/security/advisories?name=MDKSA-2003:035
(UNKNOWN)  MANDRAKE  MDKSA-2003:035
http://www.openpkg.org/security/OpenPKG-SA-2003.026-openssl.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2003.026
http://www.openssl.org/news/secadv_20030319.txt
(UNKNOWN)  CONFIRM  http://www.openssl.org/news/secadv_20030319.txt
http://www.redhat.com/support/errata/RHSA-2003-101.html
(UNKNOWN)  REDHAT  RHSA-2003:101
http://www.redhat.com/support/errata/RHSA-2003-102.html
(UNKNOWN)  REDHAT  RHSA-2003:102
http://www.securityfocus.com/archive/1/archive/1/316577/30/25310/threaded
(UNKNOWN)  BUGTRAQ  20030327 Immunix Secured OS 7+ openssl update
http://www.securityfocus.com/bid/7148
(VENDOR_ADVISORY)  BID  7148
http://xforce.iss.net/xforce/xfdb/11586
(VENDOR_ADVISORY)  XF  ssl-premaster-information-leak(11586)
https://lists.opensuse.org/opensuse-security-announce/2003-04/msg00005.html
(UNKNOWN)  SUSE  SuSE-SA:2003:024

- 漏洞信息

OpenSSL错误版本数据库旁路攻击法漏洞
高危 设计错误
2003-03-24 00:00:00 2005-10-20 00:00:00
远程  
        OpenSSL 0.9.6i及其更早版本以及0.9.7和0.9.7a版本的SSL和TLS组件存在漏洞。远程攻击者可以借助改进的Bleichenbacher攻击执行未认证RSA私钥操作,该攻击使用了大量PKCS #1 v1.5填充的SSL或TLS连接,可能导致OpenSSL泄露密文和相关纯文本之间的消息,也称为“Klima-Pokorny-Rosa attack”。

- 公告与补丁

        It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.
        SGI have released an advisory (20030501-01-I) which contains a fix to address this issue.
        SGI have released an advisory (20030501-01-I), which contains fix information to address this issue.
        Hewlett-Packard have released an advisory (HPSBUX0304-0255 rev. 2) which contains fix information to address this issue.
        Sorcerer Linux has released an advisory. Affected users are advised to issue the following commands to update the system:
        augur synch && augur update
        Gentoo has released openssl-0.9.6i-r2 which addresses this issue. Users are advised to upgrade by performing the following commands:
        emerge sync
        emerge openssl
        emerge clean
        NetBSD has made a source tree fix available, and has addressed this issue in NetBSD advisory 2003-007. See referenced advisory for additional details.
        Trustix has released advisory 2003-0013 to address this issue.
        Red Hat has released an advisory (RHSA-2003:101-01). Information about obtaining and applying fixes are available in the referenced advisory.
        This issue is addressed in MacOS X 10.2.5. This update can be applied via the Software Update pane in System Preferences. Releases prior to 10.2.5 shipped with a vulnerable version of OpenSSL.
        Debian has released a security advisory (DSA 288-1) containing fixes which address this and other issues. Further information regarding how to obtain and apply fixes can be found in the attached advisory.
        F5 has released a patch which address this issue in their vulnerable products. A patch and further information can be obtained from the following location:
        http://tech.f5.com/home/bigip/solutions/security/sol2379.html
        GNU Transport Security Layer Library 0.8.5 has been made available which addresses this issue.
        Ingrian Networks has reported that some products may be affected by this vulnerability. Users are advised to contact their vendor representitives or visit the
        http://www.ingrian.com/support/ webpage.
        Mirapoint has reported that various products may be affected by this vulnerability. A patch (D3_SSL) is available which addresses this issue and can be obtained by visiting the
        http://support.mirapoint.com/ webpage.
        HP has released SSL updates for OpenVMS systems. Please see the attached HP OpenVMS advisory (SSRT3499, SSRT3518) for details on obtaining and applying fixes. HP has also released an advisory for Tru64 UNIX systems that contains details about obtaining and applying patches. Please see advisory SSRT3499, SSRT3518 (Tru64) for further information.
        SCO has released CSSA-2003-SCO.29 to address this and other issues in gwxlibs components for OpenServer. Please see CSSA-2003-SCO.29 for more details on obtaining and applying fixes.
        Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.
        Fixes available:
        Sun Cobalt RaQ 4
        
        Sun Cobalt RaQ 550
        
        Sun Cobalt RaQ XTR
        
        Sun Cobalt Qube 3
        
        GNU Transport Layer Security Library 0.8 .0
        
        GNU Transport Layer Security Library 0.8.1
        
        GNU Transport Layer Security Library 0.8.2
        
        GNU Transport Layer Security Library 0.8.3
        
        GNU Transport Layer Security Library 0.8.4
        
        OpenSSL Project OpenSSL 0.9.6 d
        
        OpenSSL Project OpenSSL 0.9.6 c
        

- 漏洞信息

3946
OpenSSL RSA Klima-Pokorny-Rosa Attack
Local Access Required, Remote / Network Access Authentication Management, Cryptographic
Loss of Confidentiality
Exploit Public

- 漏洞描述

OpenSSL's implementation of RSA is vulnerable to the Klima-Pokorny-Rosa attack, allowing an attacker to perform one private key operation on chosen ciphertext using the server's private RSA key. A variant of the Bleichenbacher attack, this attack aims to compromise the premaster-secret value from which session keys are derived. This attack targets OpenSSL's implementation of RSA with PKCS #1 v1.5 padding used in SSL 3.0 and TLS 1.0.

- 时间线

2003-03-19 Unknow
2003-03-19 Unknow

- 解决方案

Upgrade to version 0.9.6j, 0.9.7b, or higher, and recompile any applications that were compiled statically with OpenSSL. This has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch to versions 0.9.6b through 0.9.6i, 0.9.7, and 0.9.7a. Versions prior to 0.9.6b must upgrade.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenSSL Bad Version Oracle Side Channel Attack Vulnerability
Design Error 7148
Yes No
2003-03-19 12:00:00 2009-07-11 09:06:00
Discovery credited to Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa.

- 受影响的程序版本

Sun Cobalt RaQ XTR
Sun Cobalt RaQ 550
Sun Cobalt RaQ 4
Sun Cobalt Qube 3
SGI IRIX 6.5.19
SCO Open Server 5.0.7
SCO Open Server 5.0.6
SCO Open Server 5.0.5
Oracle Oracle9i Standard Edition 9.2
Oracle Oracle9i Standard Edition 9.0.1
Oracle Oracle9i Standard Edition 8.1.7
Oracle Oracle9i Personal Edition 9.2
Oracle Oracle9i Personal Edition 9.0.1
Oracle Oracle9i Personal Edition 8.1.7
Oracle Oracle9i Enterprise Edition 9.2 .0
Oracle Oracle9i Enterprise Edition 9.0.1
Oracle Oracle9i Enterprise Edition 8.1.7
Oracle Oracle9i Application Server 9.0.3
Oracle Oracle9i Application Server 9.0.2
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle9i Application Server 1.0.2 .1s
Oracle Oracle HTTP Server 9.2 .0
+ Apache Software Foundation Apache 1.3.22
Oracle Oracle HTTP Server 9.0.1
Oracle Oracle HTTP Server 8.1.7
+ Apache Software Foundation Apache 1.3.12
+ Oracle Oracle8 8.1.7
+ Oracle Oracle8i Enterprise Edition 8.1.7 .0.0
+ Oracle Oracle8i Standard Edition 8.1.7
OpenSSL Project OpenSSL 0.9.7 a
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG Current
OpenSSL Project OpenSSL 0.9.7
+ Caldera OpenUnix 8.0
+ Caldera UnixWare 7.1.3
+ Caldera UnixWare 7.1.1
+ FreeBSD FreeBSD 5.0
+ OpenBSD OpenBSD 3.2
+ OpenPKG OpenPKG 1.2
OpenSSL Project OpenSSL 0.9.6 i
+ HP Apache-Based Web Server 1.3.27 .01
+ HP Apache-Based Web Server 1.3.27 .00
+ HP HP-UX Apache-Based Web Server 1.0.1 .01
+ HP HP-UX Apache-Based Web Server 1.0 .07.01
+ HP HP-UX Apache-Based Web Server 1.0 .06.02
+ HP HP-UX Apache-Based Web Server 1.0 .06.01
+ HP HP-UX Apache-Based Web Server 1.0 .05.01
+ HP HP-UX Apache-Based Web Server 1.0 .04.01
+ HP HP-UX Apache-Based Web Server 1.0 .03.01
+ HP HP-UX Apache-Based Web Server 1.0 .02.01
+ HP HP-UX Apache-Based Web Server 1.0 .01
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.0
+ S.u.S.E. Linux Personal 8.2
OpenSSL Project OpenSSL 0.9.6 h
OpenSSL Project OpenSSL 0.9.6 g
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 4.7 -RELEASE
+ FreeBSD FreeBSD 4.7
+ HP Apache-Based Web Server 2.0.43 .04
+ HP Apache-Based Web Server 2.0.43 .00
+ HP Webmin-Based Admin 1.0 .01
+ Immunix Immunix OS 7+
+ NetBSD NetBSD 1.6
+ OpenPKG OpenPKG 1.1
OpenSSL Project OpenSSL 0.9.6 e
+ FreeBSD FreeBSD 4.6 -RELEASE
+ FreeBSD FreeBSD 4.6
OpenSSL Project OpenSSL 0.9.6 d
+ Slackware Linux 8.1
OpenSSL Project OpenSSL 0.9.6 c
+ Conectiva Linux 8.0
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Mandriva Linux Mandrake 8.2
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
OpenSSL Project OpenSSL 0.9.6 b
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ OpenBSD OpenBSD 3.1
+ OpenBSD OpenBSD 3.0
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i686
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux Advanced Work Station 2.1
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux Connectivity Server
+ S.u.S.E. Linux Database Server 0
+ S.u.S.E. Linux Firewall on CD
+ S.u.S.E. Office Server
+ S.u.S.E. SuSE eMail Server III
+ Sun Linux 5.0.7
+ Sun Linux 5.0.6
+ Sun Linux 5.0.5
+ Sun Linux 5.0.3
+ Sun Linux 5.0
+ SuSE SUSE Linux Enterprise Server 7
OpenSSL Project OpenSSL 0.9.6 a
+ Conectiva Linux 7.0
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
OpenSSL Project OpenSSL 0.9.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 6.0
+ EnGarde Secure Linux 1.0.1
+ HP Secure OS software for Linux 1.0
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ NetBSD NetBSD 1.6 beta
+ NetBSD NetBSD 1.6
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
+ OpenBSD OpenBSD 2.9
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
GNU Transport Layer Security Library 0.8.4
GNU Transport Layer Security Library 0.8.3
GNU Transport Layer Security Library 0.8.2
GNU Transport Layer Security Library 0.8.1
GNU Transport Layer Security Library 0.8 .0
F5 BigIP 4.5
F5 BigIP 4.4
F5 BigIP 4.3
F5 BigIP 4.2
F5 BIG-IP Blade Controller 4.2.3 PTF-01
F5 3-DNS 4.5
F5 3-DNS 4.4
F5 3-DNS 4.3
F5 3-DNS 4.2
Computer Associates eTrust Security Command Center 1.0
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a
Compaq Tru64 5.1
Compaq Tru64 5.0 a
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f
Compaq OpenVMS 7.3 VAX
Compaq OpenVMS 7.3 Alpha
Compaq OpenVMS 7.2.1 Alpha
Compaq OpenVMS 7.2 -2 Alpha
Compaq OpenVMS 7.2 -1H2 Alpha
Compaq OpenVMS 7.2 -1H1 Alpha
Compaq OpenVMS 7.2 VAX
Compaq OpenVMS 7.2 Alpha
Compaq OpenVMS 7.1 -2 Alpha
Compaq OpenVMS 7.1 VAX
Compaq OpenVMS 7.1 Alpha
Compaq OpenVMS 6.2 VAX
Compaq OpenVMS 6.2 Alpha
Compaq OpenVMS 6.2
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
OpenSSL Project OpenSSL 0.9.7 b
+ OpenPKG OpenPKG 1.3
OpenSSL Project OpenSSL 0.9.6 j
HP HP-UX Apache-Based Web Server 1.0 .07.01
HP HP-UX Apache-Based Web Server 1.0 .03.01
HP Apache-Based Web Server 1.3.27 .02
GNU Transport Layer Security Library 0.8.5
Apple Mac OS X Server 10.2.5
Apple Mac OS X 10.2.5

- 不受影响的程序版本

OpenSSL Project OpenSSL 0.9.7 b
+ OpenPKG OpenPKG 1.3
OpenSSL Project OpenSSL 0.9.6 j
HP HP-UX Apache-Based Web Server 1.0 .07.01
HP HP-UX Apache-Based Web Server 1.0 .03.01
HP Apache-Based Web Server 1.3.27 .02
GNU Transport Layer Security Library 0.8.5
Apple Mac OS X Server 10.2.5
Apple Mac OS X 10.2.5

- 漏洞讨论

A problem with OpenSSL may leak sensitive information. A user could abuse the response of vulnerable servers to act as an oracle. By sending a large number of adaptive attacks, the possibility exists for a remote user to create a choice of ciphertext encrypted with the private key of the server.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.

SGI have released an advisory (20030501-01-I) which contains a fix to address this issue.

SGI have released an advisory (20030501-01-I), which contains fix information to address this issue.

Hewlett-Packard have released an advisory (HPSBUX0304-0255 rev. 2) which contains fix information to address this issue.

Sorcerer Linux has released an advisory. Affected users are advised to issue the following commands to update the system:

augur synch && augur update

Gentoo has released openssl-0.9.6i-r2 which addresses this issue. Users are advised to upgrade by performing the following commands:

emerge sync
emerge openssl
emerge clean

NetBSD has made a source tree fix available, and has addressed this issue in NetBSD advisory 2003-007. See referenced advisory for additional details.

Trustix has released advisory 2003-0013 to address this issue.

Red Hat has released an advisory (RHSA-2003:101-01). Information about obtaining and applying fixes are available in the referenced advisory.

This issue is addressed in MacOS X 10.2.5. This update can be applied via the Software Update pane in System Preferences. Releases prior to 10.2.5 shipped with a vulnerable version of OpenSSL.

Debian has released a security advisory (DSA 288-1) containing fixes which address this and other issues. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

F5 has released a patch which address this issue in their vulnerable products. A patch and further information can be obtained from the following location:

http://tech.f5.com/home/bigip/solutions/security/sol2379.html

GNU Transport Security Layer Library 0.8.5 has been made available which addresses this issue.

Ingrian Networks has reported that some products may be affected by this vulnerability. Users are advised to contact their vendor representitives or visit the http://www.ingrian.com/support/ webpage.

Mirapoint has reported that various products may be affected by this vulnerability. A patch (D3_SSL) is available which addresses this issue and can be obtained by visiting the http://support.mirapoint.com/ webpage.

HP has released SSL updates for OpenVMS systems. Please see the attached HP OpenVMS advisory (SSRT3499, SSRT3518) for details on obtaining and applying fixes. HP has also released an advisory for Tru64 UNIX systems that contains details about obtaining and applying patches. Please see advisory SSRT3499, SSRT3518 (Tru64) for further information.

SCO has released CSSA-2003-SCO.29 to address this and other issues in gwxlibs components for OpenServer. Please see CSSA-2003-SCO.29 for more details on obtaining and applying fixes.

Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.

Fixes available:


Sun Cobalt RaQ 4

Sun Cobalt RaQ 550

Sun Cobalt RaQ XTR

Sun Cobalt Qube 3

GNU Transport Layer Security Library 0.8 .0

GNU Transport Layer Security Library 0.8.1

GNU Transport Layer Security Library 0.8.2

GNU Transport Layer Security Library 0.8.3

GNU Transport Layer Security Library 0.8.4

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 e

OpenSSL Project OpenSSL 0.9.6 h

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 b

OpenSSL Project OpenSSL 0.9.6 g

OpenSSL Project OpenSSL 0.9.6 i

OpenSSL Project OpenSSL 0.9.7 a

OpenSSL Project OpenSSL 0.9.7

Apple Mac OS X Server 10.2

Apple Mac OS X 10.2

Apple Mac OS X Server 10.2.1

Apple Mac OS X 10.2.1

Apple Mac OS X 10.2.2

Apple Mac OS X Server 10.2.2

Apple Mac OS X 10.2.3

Apple Mac OS X Server 10.2.3

Apple Mac OS X 10.2.4

Apple Mac OS X Server 10.2.4

SGI IRIX 6.5.19

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站