[Voptalk] FW: OpenSSL Security Advisory

Fri Oct 12 12:26:49 EDT 2007

> -----Original Message-----
> From: voptalk-bounces at lists.vopsecurity.org 
> [mailto:voptalk-bounces at lists.vopsecurity.org] On Behalf Of 
> Peter Thermos
> Sent: Friday, October 12, 2007 8:43 AM
> To: voptalk at vopsecurity.org
> Subject: [Voptalk] FW: OpenSSL Security Advisory
> 
> I'm forwarding this to the list because it is related to SIPS.
> DTLS is one of the proposed protocols to be used to protect 
> SIP (SIPS).

Right, draft-jennings-sip-dtls-05.txt.

DTLS is also used by DTLS-SRTP to exchange SRTP keys,
draft-ietf-avt-dtls-srtp-00.txt

-d

> Peter
> 
> > -----Original Message-----
> > From: owner-cryptography at metzdowd.com 
> > [mailto:owner-cryptography at metzdowd.com] On Behalf Of Ben Laurie
> > Sent: Friday, October 12, 2007 7:06 AM
> > To: OpenSSL Announce; openssl-users; OpenSSL Dev; Bugtraq; 
> > Cryptography; full-disclosure-request at lists.grok.org.uk
> > Subject: OpenSSL Security Advisory
> > 
> > OpenSSL Security Advisory [12-Oct-2007]
> > 
> > OpenSSL Vulnerabilities
> > -----------------------
> > 
> > Vulnerability A
> > ---------------
> > 
> > Andy Polyakov discovered a flaw in OpenSSL's DTLS 
> > implementation which could lead to the compromise of clients 
> > and servers with DTLS enabled.
> > 
> > DTLS is a datagram variant of TLS specified in RFC 4347 first 
> > supported in OpenSSL version 0.9.8. Note that the 
> > vulnerabilities do not affect SSL and TLS so only clients and 
> > servers explicitly using DTLS are affected.
> > 
> > We believe this flaw will permit remote code execution.
> > 
> > This vulnerability is tracked as CVE-2007-4995.
> > 
> > Versions Affected
> > -----------------
> > 
> > All releases of 0.9.8 prior to 0.9.8f.
> > 
> > Recommendation
> > --------------
> > 
> > Either
> > 
> > a) Upgrade to the latest version of OpenSSL (0.9.8f) and 
> > rebuild all packages using OpenSSL for DTLS.
> > 
> > or,
> > 
> > b) Disable DTLS.
> > 
> > Vulnerability B
> > ---------------
> > 
> > Moritz Jodeit found an off-by-one error in 
> > SSL_get_shared_ciphers(), a function that should normally 
> > only be used for logging or debugging.
> > 
> > The impact of this overflow is unclear.
> > 
> > This vulnerability is tracked as CVE-2007-5135.
> > 
> > Versions Affected
> > -----------------
> > 
> > All releases of 0.9.8 prior to 0.9.8f. All releases of 0.9.7 
> > prior to 0.9.7m.
> > 
> > (Note that versions prior to 0.9.8d and 0.9.7l actually had a 
> > worse problem in the same function).
> > 
> > Recommendation
> > --------------
> > 
> > a) Don't use SSL_get_shared_ciphers().
> > 
> > OR
> > 
> > b) Upgrade to 0.9.8f.
> > 
> > --
> > http://www.apache-ssl.org/ben.html           http://www.links.org/
> > 
> > "There is no limit to what a man can do or how far he can go 
> > if he doesn't mind who gets the credit." - Robert Woodruff
> > 
> ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to 
> > majordomo at metzdowd.com
> 
> _______________________________________________
> - The VoPSecurity Forum -
> 
> To post a message to the mailing list send an email to [
> voptalk_at_lists.vopsecurity.org ] 