Executive Summary
Summary | |
---|---|
Title | New OpenSSL 0.9.6 packages fix cryptographic weakness |
Informations | |||
---|---|---|---|
Name | DSA-881 | First vendor Publication | 2005-11-04 |
Vendor | Debian | Last vendor Modification | 2005-11-04 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0. The following matrix explains which version in which distribution has this problem corrected. oldstable (woody) stable (sarge) unstable (sid) openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 openssl 094 0.9.4-6.woody.4 n/a n/a openssl 095 0.9.5a-6.woody.6 n/a n/a openssl 096 n/a 0.9.6m-1sarge1 n/a openssl 097 n/a n/a 0.9.7g-5 We recommend that you upgrade your libssl packages. |
Original Source
Url : http://www.debian.org/security/2005/dsa-881 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-220 | Client-Server Protocol Manipulation |
CWE : Common Weakness Enumeration
% | Id | Name |
---|
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11454 | |||
Oval ID: | oval:org.mitre.oval:def:11454 | ||
Title: | The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. | ||
Description: | The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-2969 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-10-10 | Name : SLES9: Security update for OpenSSL File : nvt/sles9p5012506.nasl |
2009-06-03 | Name : Solaris Update for kernel 120011-14 File : nvt/gb_solaris_120011_14.nasl |
2009-06-03 | Name : Solaris Update for kernel 127128-11 File : nvt/gb_solaris_127128_11.nasl |
2009-05-05 | Name : HP-UX Update for Apache Remote Execution of Arbitrary Code HPSBUX02186 File : nvt/gb_hp_ux_HPSBUX02186.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200510-11 (OpenSSL) File : nvt/glsa_200510_11.nasl |
2008-09-04 | Name : FreeBSD Ports: openssl, openssl-overwrite-base File : nvt/freebsd_openssl0.nasl |
2008-09-04 | Name : FreeBSD Security Advisory (FreeBSD-SA-05:21.openssl.asc) File : nvt/freebsdsa_openssl2.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 875-1 (openssl094) File : nvt/deb_875_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 881-1 (openssl096) File : nvt/deb_881_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 882-1 (openssl095) File : nvt/deb_882_1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 888-1 (openssl) File : nvt/deb_888_1.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2005-286-01 OpenSSL File : nvt/esoft_slk_ssa_2005_286_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
19919 | OpenSSL SSL_OP_ALL SSL 2.0 Verification Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL5533.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-762.nasl - Type : ACT_GATHER_INFO |
2012-01-04 | Name : The remote server is vulnerable to man-in-the-middle attacks. File : openssl_0_9_7h_0_9_8a.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0629.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0525.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0264.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-875.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-881.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-882.nasl - Type : ACT_GATHER_INFO |
2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-888.nasl - Type : ACT_GATHER_INFO |
2006-07-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-800.nasl - Type : ACT_GATHER_INFO |
2006-05-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_60e26a403b2511da948400123ffe8333.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-204-1.nasl - Type : ACT_GATHER_INFO |
2005-11-30 | Name : The remote operating system is missing a vendor-supplied patch. File : macosx_SecUpd2005-009.nasl - Type : ACT_GATHER_INFO |
2005-10-20 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2005_061.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-179.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200510-11.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-800.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Fedora Core host is missing one or more security updates. File : fedora_2005-986.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Fedora Core host is missing one or more security updates. File : fedora_2005-985.nasl - Type : ACT_GATHER_INFO |
2005-10-19 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2005-286-01.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:34:36 |
|