ID CVE-2010-4180
Summary OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
References
Vulnerable Configurations
  • OpenSSL Project OpenSSL 0.9.8i
    cpe:2.3:a:openssl:openssl:0.9.8i
  • OpenSSL Project OpenSSL 0.9.8j
    cpe:2.3:a:openssl:openssl:0.9.8j
  • OpenSSL Project OpenSSL 0.9.8h
    cpe:2.3:a:openssl:openssl:0.9.8h
  • OpenSSL Project OpenSSL 0.9.8o
    cpe:2.3:a:openssl:openssl:0.9.8o
  • OpenSSL Project OpenSSL 0.9.8
    cpe:2.3:a:openssl:openssl:0.9.8
  • OpenSSL Project OpenSSL 0.9.8a
    cpe:2.3:a:openssl:openssl:0.9.8a
  • OpenSSL Project OpenSSL 0.9.8e
    cpe:2.3:a:openssl:openssl:0.9.8e
  • OpenSSL Project OpenSSL 0.9.8m
    cpe:2.3:a:openssl:openssl:0.9.8m
  • OpenSSL Project OpenSSL 0.9.8c
    cpe:2.3:a:openssl:openssl:0.9.8c
  • OpenSSL Project OpenSSL 0.9.8b
    cpe:2.3:a:openssl:openssl:0.9.8b
  • OpenSSL Project OpenSSL 0.9.8k
    cpe:2.3:a:openssl:openssl:0.9.8k
  • OpenSSL Project OpenSSL 0.9.8d
    cpe:2.3:a:openssl:openssl:0.9.8d
  • OpenSSL Project OpenSSL 0.9.8g
    cpe:2.3:a:openssl:openssl:0.9.8g
  • OpenSSL Project OpenSSL 0.9.8f
    cpe:2.3:a:openssl:openssl:0.9.8f
  • OpenSSL Project OpenSSL 0.9.8l
    cpe:2.3:a:openssl:openssl:0.9.8l
  • OpenSSL Project OpenSSL 0.9.8p
    cpe:2.3:a:openssl:openssl:0.9.8p
  • OpenSSL Project OpenSSL 0.9.7 Beta6
    cpe:2.3:a:openssl:openssl:0.9.7:beta6
  • OpenSSL Project OpenSSL 0.9.7a
    cpe:2.3:a:openssl:openssl:0.9.7a
  • OpenSSL Project OpenSSL 0.9.7 Beta4
    cpe:2.3:a:openssl:openssl:0.9.7:beta4
  • OpenSSL Project OpenSSL 0.9.7 Beta5
    cpe:2.3:a:openssl:openssl:0.9.7:beta5
  • OpenSSL Project OpenSSL 0.9.7d
    cpe:2.3:a:openssl:openssl:0.9.7d
  • OpenSSL Project OpenSSL 0.9.7e
    cpe:2.3:a:openssl:openssl:0.9.7e
  • OpenSSL Project OpenSSL 0.9.7b
    cpe:2.3:a:openssl:openssl:0.9.7b
  • OpenSSL Project OpenSSL 0.9.7c
    cpe:2.3:a:openssl:openssl:0.9.7c
  • OpenSSL Project OpenSSL 0.9.7h
    cpe:2.3:a:openssl:openssl:0.9.7h
  • OpenSSL Project OpenSSL 0.9.7i
    cpe:2.3:a:openssl:openssl:0.9.7i
  • OpenSSL Project OpenSSL 0.9.7f
    cpe:2.3:a:openssl:openssl:0.9.7f
  • OpenSSL Project OpenSSL 0.9.7g
    cpe:2.3:a:openssl:openssl:0.9.7g
  • OpenSSL Project OpenSSL 0.9.7j
    cpe:2.3:a:openssl:openssl:0.9.7j
  • OpenSSL Project OpenSSL 0.9.7k
    cpe:2.3:a:openssl:openssl:0.9.7k
  • OpenSSL Project OpenSSL 0.9.7l
    cpe:2.3:a:openssl:openssl:0.9.7l
  • OpenSSL Project OpenSSL 0.9.7m
    cpe:2.3:a:openssl:openssl:0.9.7m
  • OpenSSL Project OpenSSL 0.9.7 beta1
    cpe:2.3:a:openssl:openssl:0.9.7:beta1
  • OpenSSL Project OpenSSL 0.9.7
    cpe:2.3:a:openssl:openssl:0.9.7
  • OpenSSL Project OpenSSL 0.9.7 beta3
    cpe:2.3:a:openssl:openssl:0.9.7:beta3
  • OpenSSL Project OpenSSL 0.9.7 beta2
    cpe:2.3:a:openssl:openssl:0.9.7:beta2
  • OpenSSL Project OpenSSL 0.9.6a
    cpe:2.3:a:openssl:openssl:0.9.6a
  • OpenSSL Project OpenSSL 0.9.6a Beta1
    cpe:2.3:a:openssl:openssl:0.9.6a:beta1
  • OpenSSL Project OpenSSL 0.9.6a Beta2
    cpe:2.3:a:openssl:openssl:0.9.6a:beta2
  • OpenSSL Project OpenSSL 0.9.6a Beta3
    cpe:2.3:a:openssl:openssl:0.9.6a:beta3
  • OpenSSL Project OpenSSL 0.9.6
    cpe:2.3:a:openssl:openssl:0.9.6
  • OpenSSL Project OpenSSL 0.9.6 Beta1
    cpe:2.3:a:openssl:openssl:0.9.6:beta1
  • OpenSSL Project OpenSSL 0.9.6 Beta2
    cpe:2.3:a:openssl:openssl:0.9.6:beta2
  • OpenSSL Project OpenSSL 0.9.6 Beta3
    cpe:2.3:a:openssl:openssl:0.9.6:beta3
  • OpenSSL Project OpenSSL 0.9.6g
    cpe:2.3:a:openssl:openssl:0.9.6g
  • OpenSSL Project OpenSSL 0.9.6f
    cpe:2.3:a:openssl:openssl:0.9.6f
  • OpenSSL Project OpenSSL 0.9.6i
    cpe:2.3:a:openssl:openssl:0.9.6i
  • OpenSSL Project OpenSSL 0.9.6h
    cpe:2.3:a:openssl:openssl:0.9.6h
  • OpenSSL Project OpenSSL 0.9.6c
    cpe:2.3:a:openssl:openssl:0.9.6c
  • OpenSSL Project OpenSSL 0.9.6b
    cpe:2.3:a:openssl:openssl:0.9.6b
  • OpenSSL Project OpenSSL 0.9.6e
    cpe:2.3:a:openssl:openssl:0.9.6e
  • OpenSSL Project OpenSSL 0.9.6d
    cpe:2.3:a:openssl:openssl:0.9.6d
  • OpenSSL Project OpenSSL 0.9.6k
    cpe:2.3:a:openssl:openssl:0.9.6k
  • OpenSSL Project OpenSSL 0.9.6j
    cpe:2.3:a:openssl:openssl:0.9.6j
  • OpenSSL Project OpenSSL 0.9.6m
    cpe:2.3:a:openssl:openssl:0.9.6m
  • OpenSSL Project OpenSSL 0.9.6l
    cpe:2.3:a:openssl:openssl:0.9.6l
  • OpenSSL Project OpenSSL 0.9.5 Beta2
    cpe:2.3:a:openssl:openssl:0.9.5:beta2
  • OpenSSL Project OpenSSL 0.9.5a
    cpe:2.3:a:openssl:openssl:0.9.5a
  • OpenSSL Project OpenSSL 0.9.5a Beta1
    cpe:2.3:a:openssl:openssl:0.9.5a:beta1
  • OpenSSL Project OpenSSL 0.9.5a Beta2
    cpe:2.3:a:openssl:openssl:0.9.5a:beta2
  • OpenSSL Project OpenSSL 0.9.5
    cpe:2.3:a:openssl:openssl:0.9.5
  • OpenSSL Project OpenSSL 0.9.5 Beta1
    cpe:2.3:a:openssl:openssl:0.9.5:beta1
  • OpenSSL Project OpenSSL 0.9.4
    cpe:2.3:a:openssl:openssl:0.9.4
  • OpenSSL Project OpenSSL 0.9.3a
    cpe:2.3:a:openssl:openssl:0.9.3a
  • OpenSSL Project OpenSSL 0.9.3
    cpe:2.3:a:openssl:openssl:0.9.3
  • OpenSSL Project OpenSSL 0.9.2b
    cpe:2.3:a:openssl:openssl:0.9.2b
  • OpenSSL Project OpenSSL 0.9.1c
    cpe:2.3:a:openssl:openssl:0.9.1c
  • OpenSSL Project OpenSSL 0.9.8n
    cpe:2.3:a:openssl:openssl:0.9.8n
  • OpenSSL Project OpenSSL 1.0.0 Beta1
    cpe:2.3:a:openssl:openssl:1.0.0:beta1
  • OpenSSL Project OpenSSL 1.0.0
    cpe:2.3:a:openssl:openssl:1.0.0
  • OpenSSL Project OpenSSL 1.0.0 Beta5
    cpe:2.3:a:openssl:openssl:1.0.0:beta5
  • OpenSSL Project OpenSSL 1.0.0 Beta3
    cpe:2.3:a:openssl:openssl:1.0.0:beta3
  • OpenSSL Project OpenSSL 1.0.0b
    cpe:2.3:a:openssl:openssl:1.0.0b
  • OpenSSL Project OpenSSL 1.0.0 Beta4
    cpe:2.3:a:openssl:openssl:1.0.0:beta4
  • OpenSSL Project OpenSSL 1.0.0 Beta2
    cpe:2.3:a:openssl:openssl:1.0.0:beta2
  • OpenSSL Project OpenSSL 1.0.0a
    cpe:2.3:a:openssl:openssl:1.0.0a
CVSS
Base: 4.3 (as of 07-12-2010 - 14:27)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0013.NASL
    description a. vCenter and ESX update to JRE 1.6.0 Update 31 The Oracle (Sun) JRE is updated to version 1.6.0_31, which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012. b. vCenter Update Manager update to JRE 1.5.0 Update 36 The Oracle (Sun) JRE is updated to 1.5.0_36 to address multiple security issues. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_36 in the Oracle Java SE Critical Patch Update Advisory for June 2012. c. Update to ESX/ESXi userworld OpenSSL library The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4180, CVE-2010-4252, CVE-2011-0014, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, and CVE-2012-0050 to these issues. d. Update to ESX service console OpenSSL RPM The service console OpenSSL RPM is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue. e. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1833, CVE-2011-2484, CVE-2011-2496, CVE-2011-3188, CVE-2011-3209, CVE-2011-3363, CVE-2011-4110, CVE-2011-1020, CVE-2011-4132, CVE-2011-4324, CVE-2011-4325, CVE-2012-0207, CVE-2011-2699, and CVE-2012-1583 to these issues. f. Update to ESX service console Perl RPM The ESX service console Perl RPM is updated to perl-5.8.8.32.1.8999.vmw to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2761, CVE-2010-4410, and CVE-2011-3597 to these issues. g. Update to ESX service console libxml2 RPMs The ESX service console libmxl2 RPMs are updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0841 to this issue. h. Update to ESX service console glibc RPM The ESX service console glibc RPM is updated to version glibc-2.5-81.el5_8.1 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-5029, CVE-2009-5064, CVE-2010-0830, CVE-2011-1089, CVE-2011-4609, and CVE-2012-0864 to these issue. i. Update to ESX service console GnuTLS RPM The ESX service console GnuTLS RPM is updated to version 1.4.1-7.el5_8.2 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-4128, CVE-2012-1569, and CVE-2012-1573 to these issues. j. Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS The ESX service console popt, rpm, rpm-libs, and rpm-python RPMS are updated to the following versions to resolve multiple security issues : - popt-1.10.2.3-28.el5_8 - rpm-4.4.2.3-28.el5_8 - rpm-libs-4.4.2.3-28.el5_8 - rpm-python-4.4.2.3-28.el5_8 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0060, CVE-2012-0061, and CVE-2012-0815 to these issues. k. Vulnerability in third-party Apache Struts component The version of Apache Struts in vCenter Operations has been updated to 2.3.4 which addresses an arbitrary file overwrite vulnerability. This vulnerability allows an attacker to create a denial of service by overwriting arbitrary files without authentication. The attacker would need to be on the same network as the system where vCOps is installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-0393 to this issue. Note: Apache struts 2.3.4 addresses the following issues as well : CVE-2011-5057, CVE-2012-0391, CVE-2012-0392, CVE-2012-0394. It was found that these do not affect vCOps. VMware would like to thank Alexander Minozhenko from ERPScan for reporting this issue to us.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 61747
    published 2012-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61747
    title VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0007.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv everywhere instead of getenv (#839735) - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio (#814185) - fix problem with the SGC restart patch that might terminate handshake incorrectly - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4109 - double free in policy checks (#771771) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) - add known answer test for SHA2 algorithms (#740866) - make default private key length in certificate Makefile 2048 bits (can be changed with PRIVATE_KEY_BITS setting) (#745410) - fix incorrect return value in parse_yesno (#726593) - added DigiCert CA certificates to ca-bundle (#735819) - added a new section about error states to README.FIPS (#628976) - add missing DH_check_pub_key call when DH key is computed (#698175) - presort list of ciphers available in SSL (#688901) - accept connection in s_server even if getaddrinfo fails (#561260) - point to openssl dgst for list of supported digests (#608639) - fix handling of future TLS versions (#599112) - added VeriSign Class 3 Public Primary Certification Authority - G5 and StartCom Certification Authority certs to ca-bundle (#675671, #617856) - upstream fixes for the CHIL engine (#622003, #671484) - add SHA-2 hashes in SSL_library_init (#676384) - fix CVE-2010-4180 - completely disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462) - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924) - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which in the RHEL-5 and newer versions will crash in such case (#569774) - fix CVE-2009-3555 - support the safe renegotiation extension and do not allow legacy renegotiation on the server by default (#533125) - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197) - fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data is called prematurely by application (#546707)
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 79531
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79531
    title OracleVM 2.2 : openssl (OVMSA-2014-0007)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-248.NASL
    description A vulnerability was discovered and corrected in openssl : OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of an unintended cipher via vectors involving sniffing network traffic to discover a session identifier (CVE-2010-4180). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue.
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 51070
    published 2010-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51070
    title Mandriva Linux Security Advisory : openssl (MDVSA-2010:248)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-340-01.NASL
    description New openssl packages are available for Slackware 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.
    last seen 2018-09-01
    modified 2018-06-27
    plugin id 51063
    published 2010-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51063
    title Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : openssl (SSA:2010-340-01)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101213_OPENSSL_ON_SL6_X.NASL
    description A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2012-08-01
    plugin id 60922
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60922
    title Scientific Linux Security Update : openssl on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_LIBCURL4-8618.NASL
    description This update of curl fixes several security issues : - libcurl URL decode buffer boundary flaw. (bnc#824517 / CVE-2013-2174) - cookie domain tailmatch. (bnc#814655 / CVE-2013-1944) - curl sets SSL_OP_ALL. (bnc#742306 / CVE-2011-3389) - When SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. (CVE-2010-4180)
    last seen 2018-09-01
    modified 2013-08-01
    plugin id 67223
    published 2013-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67223
    title SuSE 10 Security Update : libcurl4 (ZYPP Patch Number 8618)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_CURL-120124.NASL
    description The following vulnerabilities have been fixed in curl : - IMAP, POP3 and SMTP URL sanitization vulnerability (CVE-2012-0036) - disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (CVE-2011-3389) - disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option for older openssl versions (CVE-2010-4180)
    last seen 2018-09-01
    modified 2018-07-31
    plugin id 75806
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75806
    title openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201110-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201110-01 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker could cause a Denial of Service, possibly execute arbitrary code, bypass intended key requirements, force the downgrade to unintended ciphers, bypass the need for knowledge of shared secrets and successfully authenticate, bypass CRL validation, or obtain sensitive information in applications that use OpenSSL. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2018-07-11
    plugin id 56425
    published 2011-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56425
    title GLSA-201110-01 : OpenSSL: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0977.NASL
    description Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-02
    modified 2018-07-25
    plugin id 51155
    published 2010-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51155
    title RHEL 4 : openssl (RHSA-2010:0977)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_COMPAT-OPENSSL097G-7645.NASL
    description This update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen 2018-09-02
    modified 2016-12-22
    plugin id 57170
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57170
    title SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7645)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSL-7463.NASL
    description Malicious clients could have downgraded a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180). This has been fixed.
    last seen 2018-09-02
    modified 2012-06-14
    plugin id 53640
    published 2011-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53640
    title SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7463)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2012-76.NASL
    description - Fix IMAP, POP3 and SMTP URL sanitization (bnc#740452, CVE-2012-0036) - Disable SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option when built against an older OpenSSL version (CVE-2010-4180). - Don't enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (bnc#742306, CVE-2011-3389).
    last seen 2018-09-02
    modified 2015-10-22
    plugin id 74807
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74807
    title openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2141.NASL
    description DSA-2141 consists of three individual parts, which can be viewed in the mailing list archive: DSA 2141-1 (openssl), DSA 2141-2 (nss), DSA 2141-3 (apache2), and DSA 2141-4 (lighttpd). This page only covers the first part, openssl. - CVE-2009-3555 Marsh Ray, Steve Dispensa, and Martin Rex discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. This update adds backported support for the new RFC5746 renegotiation extension which fixes this issue. If openssl is used in a server application, it will by default no longer accept renegotiation from clients that do not support the RFC5746 secure renegotiation extension. A separate advisory will add RFC5746 support for nss, the security library used by the iceweasel web browser. For apache2, there will be an update which allows to re-enable insecure renegotiation. This version of openssl is not compatible with older versions of tor. You have to use at least tor version 0.2.1.26-1~lenny+1, which has been included in the point release 5.0.7 of Debian stable. Currently we are not aware of other software with similar compatibility problems. - CVE-2010-4180 In addition, this update fixes a flaw that allowed a client to bypass restrictions configured in the server for the used cipher suite.
    last seen 2018-09-02
    modified 2014-05-03
    plugin id 51440
    published 2011-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51440
    title Debian DSA-2141-1 : openssl - SSL/TLS insecure renegotiation protocol design flaw
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_LIBOPENSSL-DEVEL-101207.NASL
    description Malicious clients could downgrade a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180).
    last seen 2018-09-02
    modified 2014-06-13
    plugin id 53751
    published 2011-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53751
    title openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20101213_OPENSSL_ON_SL4_X.NASL
    description A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245 - SL4 Only) For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2012-08-01
    plugin id 60921
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60921
    title Scientific Linux Security Update : openssl on SL4.x, SL5.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0978.NASL
    description Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-02
    modified 2018-07-02
    plugin id 51146
    published 2010-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51146
    title CentOS 5 : openssl (CESA-2010:0978)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0979.NASL
    description From Red Hat Security Advisory 2010:0979 : Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 68165
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68165
    title Oracle Linux 6 : openssl (ELSA-2010-0979)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-18736.NASL
    description New upstream release that fixes a few minor bugs and also a security issue with moderate impact. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2015-10-20
    plugin id 51347
    published 2010-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51347
    title Fedora 13 : openssl-1.0.0c-1.fc13 (2010-18736)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0977.NASL
    description From Red Hat Security Advisory 2010:0977 : Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 68163
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68163
    title Oracle Linux 4 : openssl (ELSA-2010-0977)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0979.NASL
    description Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2018-07-25
    plugin id 51157
    published 2010-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51157
    title RHEL 6 : openssl (RHSA-2010:0979)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_COMPAT-OPENSSL097G-110721.NASL
    description This update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 55711
    published 2011-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55711
    title SuSE 11.1 Security Update : compat-openssl097g (SAT Patch Number 4913)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12701.NASL
    description Malicious clients could have downgraded a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180). This has been fixed.
    last seen 2018-09-01
    modified 2012-06-14
    plugin id 53637
    published 2011-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53637
    title SuSE9 Security Update : OpenSSL (YOU Patch Number 12701)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-18765.NASL
    description New upstream release that fixes a few minor bugs and also a security issue with moderate impact. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-07-12
    plugin id 51129
    published 2010-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51129
    title Fedora 14 : openssl-1.0.0c-1.fc14 (2010-18765)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_LIBOPENSSL-DEVEL-101207.NASL
    description Malicious clients could downgrade a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180).
    last seen 2018-09-02
    modified 2014-06-13
    plugin id 53676
    published 2011-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53676
    title openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_6_8.NASL
    description The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.8. This update contains security-related fixes for the following components : - App Store - ATS - Certificate Trust Policy - CoreFoundation - CoreGraphics - FTP Server - ImageIO - International Components for Unicode - Kernel - Libsystem - libxslt - MobileMe - MySQL - OpenSSL - patch - QuickLook - QuickTime - Samba - servermgrd - subversion
    last seen 2018-09-02
    modified 2018-08-22
    plugin id 55416
    published 2011-06-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55416
    title Mac OS X 10.6.x < 10.6.8 Multiple Vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0978.NASL
    description From Red Hat Security Advisory 2010:0978 : Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-02
    modified 2018-07-18
    plugin id 68164
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68164
    title Oracle Linux 5 : openssl (ELSA-2010-0978)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0008.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589) - fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052) - enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB environment variable is set (fixes CVE-2012-4929 #857051) - use __secure_getenv everywhere instead of getenv (#839735) - fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686) - fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio (#814185) - fix problem with the SGC restart patch that might terminate handshake incorrectly - fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725) - fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489) - fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery vulnerability and additional DTLS fixes (#771770) - fix for CVE-2011-4109 - double free in policy checks (#771771) - fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775) - fix for CVE-2011-4619 - SGC restart DoS attack (#771780) - add known answer test for SHA2 algorithms (#740866) - make default private key length in certificate Makefile 2048 bits (can be changed with PRIVATE_KEY_BITS setting) (#745410) - fix incorrect return value in parse_yesno (#726593) - added DigiCert CA certificates to ca-bundle (#735819) - added a new section about error states to README.FIPS (#628976) - add missing DH_check_pub_key call when DH key is computed (#698175) - presort list of ciphers available in SSL (#688901) - accept connection in s_server even if getaddrinfo fails (#561260) - point to openssl dgst for list of supported digests (#608639) - fix handling of future TLS versions (#599112) - added VeriSign Class 3 Public Primary Certification Authority - G5 and StartCom Certification Authority certs to ca-bundle (#675671, #617856) - upstream fixes for the CHIL engine (#622003, #671484) - add SHA-2 hashes in SSL_library_init (#676384) - fix CVE-2010-4180 - completely disable code for SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462) - fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924) - fix CVE-2010-0433 - do not pass NULL princ to krb5_kt_get_entry which in the RHEL-5 and newer versions will crash in such case (#569774) - fix CVE-2009-3555 - support the safe renegotiation extension and do not allow legacy renegotiation on the server by default (#533125) - fix CVE-2009-2409 - drop MD2 algorithm from EVP tables (#510197) - fix CVE-2009-4355 - do not leak memory when CRYPTO_cleanup_all_ex_data is called prematurely by application (#546707)
    last seen 2018-09-01
    modified 2018-07-24
    plugin id 79532
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79532
    title OracleVM 3.2 : onpenssl (OVMSA-2014-0008)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_COMPAT-OPENSSL097G-110721.NASL
    description This update adds openssl patches since 2007 for : - CVE-2008-5077 - CVE-2009-0590 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 75453
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75453
    title openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_912577_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by Multiple Vulnerabilities : - An integer overflow condition exists in the __tzfile_read() function in the glibc library. An unauthenticated, remote attacker can exploit this, via a crafted timezone (TZ) file, to cause a denial of service or the execution of arbitrary code. (CVE-2009-5029) - ldd in the glibc library is affected by a privilege escalation vulnerability due to the omission of certain LD_TRACE_LOADED_OBJECTS checks in a crafted executable file. Note that this vulnerability is disputed by the library vendor. (CVE-2009-5064) - A remote code execution vulnerability exists in the glibc library due to an integer signedness error in the elf_get_dynamic_info() function when the '--verify' option is used. A remote attacker can exploit this by using a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header. (CVE-2010-0830) - A flaw exists in OpenSSL due to a failure to properly prevent modification of the ciphersuite in the session cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled. A remote attacker can exploit this to force a downgrade to an unintended cipher by intercepting the network traffic to discover a session identifier. (CVE-2010-4180) - A flaw exists in OpenSSL due to a failure to properly validate the public parameters in the J-PAKE protocol when J-PAKE is enabled. A remote attacker can exploit this, by sending crafted values in each round of the protocol, to bypass the need for knowledge of the shared secret. (CVE-2010-4252) - A out-of-bounds memory error exists in OpenSSL that allows a remote attacker to cause a denial of service or possibly obtain sensitive information by using a malformed ClientHello handshake message. This is also known as the 'OCSP stapling vulnerability'. (CVE-2011-0014) - A flaw exists in the addmntent() function in the glibc library due to a failure to report the error status for failed attempts to write to the /etc/mtab file. A local attacker can exploit this to corrupt the file by using writes from a process with a small RLIMIT_FSIZE value. (CVE-2011-1089) - A flaw exists in the png_set_text_2() function in the file pngset.c in the libpng library due to a failure to properly allocate memory. An unauthenticated, remote attacker can exploit this, via a crafted text chunk in a PNG image file, to trigger a heap-based buffer overflow, resulting in denial of service or the execution of arbitrary code. (CVE-2011-3048) - A flaw exists in the DTLS implementation in OpenSSL due to performing a MAC check only if certain padding is valid. A remote attacker can exploit this, via a padding oracle attack, to recover the plaintext. (CVE-2011-4108) - A double-free error exists in OpenSSL when the X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker can exploit this by triggering a policy check failure, resulting in an unspecified impact. (CVE-2011-4109) - A flaw exists in OpenSSL in the SSL 3.0 implementation due to improper initialization of data structures used for block cipher padding. A remote attacker can exploit this, by decrypting the padding data sent by an SSL peer, to obtain sensitive information. (CVE-2011-4576) - A denial of service vulnerability exists in OpenSSL when RFC 3779 support is enabled. A remote attacker can exploit this to cause an assertion failure, by using an X.509 certificate containing certificate extension data associated with IP address blocks or Autonomous System (AS) identifiers. (CVE-2011-4577) - A denial of service vulnerability exists in the RPC implementation in the glibc library due to a flaw in the svc_run() function. A remote attacker can exploit this, via large number of RPC connections, to exhaust CPU resources. (CVE-2011-4609) - A denial of service vulnerability exists in the Server Gated Cryptography (SGC) implementation in OpenSSL due to a failure to properly handle handshake restarts. A remote attacker can exploit this, via unspecified vectors, to exhaust CPU resources. (CVE-2011-4619) - A denial of service vulnerability exists in OpenSSL due to improper support of DTLS applications. A remote attacker can exploit this, via unspecified vectors related to an out-of-bounds read error. Note that this vulnerability exists because of an incorrect fix for CVE-2011-4108. (CVE-2012-0050) - A security bypass vulnerability exists in the glibc library due to an integer overflow condition in the vfprintf() function in file stdio-common/vfprintf.c. An attacker can exploit this, by using a large number of arguments, to bypass the FORTIFY_SOURCE protection mechanism, allowing format string attacks or writing to arbitrary memory. (CVE-2012-0864) - A denial of service vulnerability exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly calculate a buffer length. An attacker can exploit this, via a format string that uses positional parameters and many format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus causing stack corruption and a crash. (CVE-2012-3404) - A denial of service vulnerability exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly calculate a buffer length. An attacker can exploit this, via a format string with a large number of format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus triggering desynchronization within the buffer size handling, resulting in a segmentation fault and crash. (CVE-2012-3405) - A flaw exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly restrict the use of the alloca() function when allocating the SPECS array. An attacker can exploit this, via a crafted format string using positional parameters and a large number of format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus triggering a denial of service or the possible execution of arbitrary code. (CVE-2012-3406) - A flaw exists in the glibc library due to multiple integer overflow conditions in the strtod(), strtof(), strtold(), strtod_l(), and other unspecified related functions. A local attacker can exploit these to trigger a stack-based buffer overflow, resulting in an application crash or the possible execution of arbitrary code. (CVE-2012-3480) - A privilege escalation vulnerability exists in the Virtual Machine Communication Interface (VMCI) due to a failure by control code to properly restrict memory allocation. A local attacker can exploit this, via unspecified vectors, to gain privileges. (CVE-2013-1406) - An error exists in the implementation of the Network File Copy (NFC) protocol. A man-in-the-middle attacker can exploit this, by modifying the client-server data stream, to cause a denial of service or the execution of arbitrary code. (CVE-2013-1659)
    last seen 2018-09-02
    modified 2018-08-06
    plugin id 70885
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70885
    title ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1029-1.NASL
    description It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. This could possibly allow an attacker to downgrade the ciphersuite to a weaker one on subsequent connections. (CVE-2010-4180) It was discovered that an old bug workaround in the SSL/TLS server code allowed an attacker to modify the stored session cache ciphersuite. An attacker could possibly take advantage of this to force the use of a disabled cipher. This vulnerability only affects the versions of OpenSSL in Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2008-7270). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-05-27
    plugin id 51076
    published 2010-12-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51076
    title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openssl vulnerabilities (USN-1029-1)
  • NASL family Web Servers
    NASL id OPENSSL_1_0_0C.NASL
    description According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8q or 1.0.0c. Such versions are potentially affected by multiple vulnerabilities : - It may be possible to downgrade the ciphersuite to a weaker version by modifying the stored session cache ciphersuite. - An error exists in the J-PAKE implementation that could lead to successful validation by someone with no knowledge of the shared secret.
    last seen 2018-09-01
    modified 2018-07-16
    plugin id 51058
    published 2010-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51058
    title OpenSSL < 0.9.8q / 1.0.0c Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBOPENSSL-DEVEL-101207.NASL
    description Malicious clients could downgrade a connection to a low strength cipher suite on session resumption if the server offers such ciphers. (CVE-2010-4180)
    last seen 2018-09-01
    modified 2013-10-25
    plugin id 51620
    published 2011-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51620
    title SuSE 11.1 Security Update : libopenssl (SAT Patch Number 3661)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2011-0013_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - Java Runtime Environment (JRE) - libuser - Netscape Portable Runtime (NSPR) - Network Security Services (NSS) - OpenSSL
    last seen 2018-09-01
    modified 2018-08-16
    plugin id 89681
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89681
    title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0013) (remote check)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0977.NASL
    description Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. It was discovered that OpenSSL did not always check the return value of the bn_wexpand() function. An attacker able to trigger a memory allocation failure in that function could possibly crash an application using the OpenSSL library and its UBSEC hardware engine support. (CVE-2009-3245) All OpenSSL users should upgrade to these updated packages, which contain backported patches to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2018-07-02
    plugin id 51781
    published 2011-01-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51781
    title CentOS 4 : openssl (CESA-2010:0977)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBOPENSSL-DEVEL-101207.NASL
    description Malicious clients could downgrade a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180).
    last seen 2018-09-01
    modified 2014-06-13
    plugin id 75594
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75594
    title openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_146857-01.NASL
    description SunOS 5.10: ssl patch for wanboot. Date this patch was last updated by Sun : Mar/23/11
    last seen 2018-09-01
    modified 2018-03-12
    plugin id 107599
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107599
    title Solaris 10 (sparc) : 146857-01
  • NASL family AIX Local Security Checks
    NASL id AIX_OPENSSL_ADVISORY2.NASL
    description The version of OpenSSL running on the remote host is affected by the following vulnerabilities : - ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka 'OCSP stapling vulnerability.' (CVE-2011-0014) - Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi- threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap- based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. (CVE-2010-3864) - OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. (CVE-2010-4180)
    last seen 2018-09-02
    modified 2018-07-17
    plugin id 73560
    published 2014-04-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73560
    title AIX OpenSSL Advisory : openssl_advisory2.asc
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0013_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - Apache Struts - glibc - GnuTLS - JRE - kernel - libxml2 - OpenSSL - Perl - popt and rpm
    last seen 2018-09-01
    modified 2018-08-16
    plugin id 89038
    published 2016-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89038
    title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_COMPAT-OPENSSL097G-110721.NASL
    description This update adds openssl patches since 2007 for : - CVE-2008-5077 - CVE-2009-0590 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen 2018-09-01
    modified 2016-12-21
    plugin id 75802
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75802
    title openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_OPENSSL-7462.NASL
    description Malicious clients could have downgraded a connection to a low strength cipher suite on session resumption if the server offers such ciphers (CVE-2010-4180). This has been fixed.
    last seen 2018-09-01
    modified 2012-06-14
    plugin id 57233
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57233
    title SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7462)
  • NASL family General
    NASL id OPENSSL_RESUME_DIFFERENT_CIPHER.NASL
    description The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a weaker cipher chosen by the attacker. Note that other SSL implementations may also be affected by this vulnerability.
    last seen 2018-09-02
    modified 2018-07-16
    plugin id 51892
    published 2011-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51892
    title OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2011-0013.NASL
    description a. ESX third-party update for Service Console openssl RPM The Service Console openssl RPM is updated to openssl-0.9.8e.12.el5_5.7 resolving two security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-7270 and CVE-2010-4180 to these issues. b. ESX third-party update for Service Console libuser RPM The Service Console libuser RPM is updated to version 0.54.7-2.1.el5_5.2 to resolve a security issue. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-0002 to this issue. c. ESX third-party update for Service Console nss and nspr RPMs The Service Console Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1 and nss-3.12.8-4 resolving multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3170 and CVE-2010-3173 to these issues. d. vCenter Server and ESX, Oracle (Sun) JRE update 1.6.0_24 Oracle (Sun) JRE is updated to version 1.6.0_24, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_24: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475 and CVE-2010-4476. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.6.0_22: CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573 and CVE-2010-3574. e. vCenter Update Manager Oracle (Sun) JRE update 1.5.0_30 Oracle (Sun) JRE is updated to version 1.5.0_30, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_30: CVE-2011-0862, CVE-2011-0873, CVE-2011-0815, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814, CVE-2011-0871, CVE-2011-0867 and CVE-2011-0865. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_28: CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476. f. Integer overflow in VMware third-party component sfcb This release resolves an integer overflow issue present in the third-party library SFCB when the httpMaxContentLength has been changed from its default value to 0 in in /etc/sfcb/sfcb.cfg. The integer overflow could allow remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2054 to this issue.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 56665
    published 2011-10-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56665
    title VMSA-2011-0013 : VMware third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_146859-01.NASL
    description SunOS 5.10_x86: ssl patch. Date this patch was last updated by Sun : Mar/23/11
    last seen 2018-09-02
    modified 2018-03-14
    plugin id 108092
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108092
    title Solaris 10 (x86) : 146859-01
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0978.NASL
    description Updated openssl packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session. (CVE-2010-4180, CVE-2008-7270) Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option has no effect and this bug workaround can no longer be enabled. All OpenSSL users should upgrade to these updated packages, which contain a backported patch to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.
    last seen 2018-09-01
    modified 2018-07-25
    plugin id 51156
    published 2010-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51156
    title RHEL 5 : openssl (RHSA-2010:0978)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_COMPAT-OPENSSL097G-7644.NASL
    description This update adds openssl patches since 2007 for : - CVE-2009-0590 - CVE-2008-5077 - CVE-2009-0789 - CVE-2009-3555 - CVE-2010-4180
    last seen 2018-09-01
    modified 2016-12-22
    plugin id 55715
    published 2011-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55715
    title SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7644)
oval via4
accepted 2015-05-04T04:00:12.141-04:00
class vulnerability
contributors
  • name Sergey Artykhov
    organization ALTX-SOFT
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
comment VisualSVN Server is installed
oval oval:org.mitre.oval:def:18636
description OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
family windows
id oval:org.mitre.oval:def:18910
status accepted
submitted 2013-10-02T13:00:00
title OpenSSL vulnerability before 0.9.8q, and 1.0.x before 1.0.0c in VisualSVN Server (CVE-2010-4180)
version 8
redhat via4
advisories
  • bugzilla
    id 660650
    title CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhsa:tst:20050025001
    • OR
      • AND
        • comment openssl is earlier than 0:0.9.7a-43.17.el4_8.6
          oval oval:com.redhat.rhsa:tst:20100977002
        • comment openssl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20040120003
      • AND
        • comment openssl-devel is earlier than 0:0.9.7a-43.17.el4_8.6
          oval oval:com.redhat.rhsa:tst:20100977004
        • comment openssl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20040120005
      • AND
        • comment openssl-perl is earlier than 0:0.9.7a-43.17.el4_8.6
          oval oval:com.redhat.rhsa:tst:20100977006
        • comment openssl-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20040120007
    rhsa
    id RHSA-2010:0977
    released 2010-12-13
    severity Moderate
    title RHSA-2010:0977: openssl security update (Moderate)
  • bugzilla
    id 660650
    title CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment openssl is earlier than 0:0.9.8e-12.el5_5.7
          oval oval:com.redhat.rhsa:tst:20100978002
        • comment openssl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964003
      • AND
        • comment openssl-devel is earlier than 0:0.9.8e-12.el5_5.7
          oval oval:com.redhat.rhsa:tst:20100978006
        • comment openssl-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964005
      • AND
        • comment openssl-perl is earlier than 0:0.9.8e-12.el5_5.7
          oval oval:com.redhat.rhsa:tst:20100978004
        • comment openssl-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964007
    rhsa
    id RHSA-2010:0978
    released 2010-12-13
    severity Moderate
    title RHSA-2010:0978: openssl security update (Moderate)
  • bugzilla
    id 659462
    title CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment openssl-devel is earlier than 0:1.0.0-4.el6_0.2
          oval oval:com.redhat.rhsa:tst:20100979009
        • comment openssl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100888012
      • AND
        • comment openssl-static is earlier than 0:1.0.0-4.el6_0.2
          oval oval:com.redhat.rhsa:tst:20100979007
        • comment openssl-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100888010
      • AND
        • comment openssl-perl is earlier than 0:1.0.0-4.el6_0.2
          oval oval:com.redhat.rhsa:tst:20100979011
        • comment openssl-perl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100888008
      • AND
        • comment openssl is earlier than 0:1.0.0-4.el6_0.2
          oval oval:com.redhat.rhsa:tst:20100979005
        • comment openssl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100888006
    rhsa
    id RHSA-2010:0979
    released 2010-12-13
    severity Moderate
    title RHSA-2010:0979: openssl security update (Moderate)
  • rhsa
    id RHSA-2011:0896
rpms
  • openssl-0:0.9.7a-43.17.el4_8.6
  • openssl-devel-0:0.9.7a-43.17.el4_8.6
  • openssl-perl-0:0.9.7a-43.17.el4_8.6
  • openssl-0:0.9.8e-12.el5_5.7
  • openssl-devel-0:0.9.8e-12.el5_5.7
  • openssl-perl-0:0.9.8e-12.el5_5.7
  • openssl-devel-0:1.0.0-4.el6_0.2
  • openssl-static-0:1.0.0-4.el6_0.2
  • openssl-perl-0:1.0.0-4.el6_0.2
  • openssl-0:1.0.0-4.el6_0.2
refmap via4
apple APPLE-SA-2011-06-23-1
bid 45164
cert-vn VU#737740
confirm
debian DSA-2141
fedora
  • FEDORA-2010-18736
  • FEDORA-2010-18765
hp
  • HPSBHF02706
  • HPSBMA02658
  • HPSBMU02759
  • HPSBOV02670
  • HPSBUX02638
  • SSRT100339
  • SSRT100413
  • SSRT100475
  • SSRT100613
  • SSRT100817
mandriva MDVSA-2010:248
osvdb 69565
sectrack 1024822
secunia
  • 42469
  • 42473
  • 42493
  • 42571
  • 42620
  • 42811
  • 42877
  • 43169
  • 43170
  • 43171
  • 43172
  • 43173
  • 44269
slackware SSA:2010-340-01
suse
  • SUSE-SR:2011:001
  • SUSE-SR:2011:009
  • SUSE-SU-2011:0847
  • openSUSE-SU-2011:0845
ubuntu USN-1029-1
vupen
  • ADV-2010-3120
  • ADV-2010-3122
  • ADV-2010-3134
  • ADV-2010-3188
  • ADV-2011-0032
  • ADV-2011-0076
  • ADV-2011-0268
vmware via4
description The ESX/ESXi userworld OpenSSL library is updated from version 0.9.8p to version 0.9.8t to resolve multiple security issues.
id VMSA-2012-0013
last_updated 2012-12-20T00:00:00
published 2012-08-30T00:00:00
title Update to ESX/ESXi userworld OpenSSL library
Last major update 22-08-2016 - 22:02
Published 06-12-2010 - 16:05
Last modified 18-09-2017 - 21:31
Back to Top