Re: New OpenSSL releases fix denial of service attacks [17 March 2004]
At 11:30 3/17/2004, Mark J Cox wrote:
>> according to NISCC Vulnerability Advisory 224012 (
>> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a
>> third potential DoS that was found with this testing sweep: CVE
>> CAN-2004-0081. quoting from the NISCC advisory:
>
>Absolutely, but that was fixed back in 0.9.6d a long time ago.
there appears to be a new CVE number corresponding to this issue. that
either means that 1) the issue is really new to CVE and most people weren't
aware of it and should be made so, regardless of whether a fix was slipped
in long ago or 2) the CVE number is a dupe and should be marked as such.
do you know which case we have?
if the former, the OpenSSL folks have a duty to advise their users of the
newly discovered vulnerability. as the NISCC advisory states the issue
would "affect vendors that ship older versions of OpenSSL with backported
security patches". if the latter, then the NISCC folks need to clear
things up in their advisory.
cheers,
marc