SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionSeveral problems have been found in OpenSSL :
- During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop.
- A buffer overflow exists in the SSL_get_shared_ciphers function.
- A NULL pointer may be dereferenced in the SSL version 2 client code.
In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used. Impact : Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.
An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.
A malicious SSL server can cause clients connecting using SSL version 2 to crash.
Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack. Workaround : No workaround is available, but not all of the vulnerabilities mentioned affect all applications.
SolutionUpdate the affected packages.