The ASN.1 implementation in OpenSSL prior to 1.0.1o and 1.0.2 prior to 1.0.2c allows remote malicious users to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat enterprise linux hpc node 6.0 |
||
redhat enterprise linux desktop 6.0 |
||
redhat enterprise linux server 6.0 |
||
redhat enterprise linux workstation 6.0 |
||
openssl openssl 1.0.2a |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.2 |
||
openssl openssl |
||
redhat enterprise linux desktop 7.0 |
||
redhat enterprise linux server aus 7.2 |
||
redhat enterprise linux workstation 7.0 |
||
redhat enterprise linux server 7.0 |
||
redhat enterprise linux hpc node 7.0 |
||
redhat enterprise linux server eus 7.2 |
||
redhat enterprise linux hpc node eus 7.2 |
||
google android 5.1.0 |
||
google android 4.2 |
||
google android 4.1 |
||
google android 6.0.1 |
||
google android 6.0 |
||
google android 4.0.2 |
||
google android 4.4.3 |
||
google android 4.0.4 |
||
google android 4.3 |
||
google android 4.0.1 |
||
google android 4.2.1 |
||
google android 5.0.1 |
||
google android 5.0 |
||
google android 4.0.3 |
||
google android 4.0 |
||
google android 4.4 |
||
google android 4.4.1 |
||
google android 4.2.2 |
||
google android 4.3.1 |
||
google android 4.4.2 |
||
google android 5.1 |
||
google android 4.1.2 |
Two innocent programming blunders breed high-risk flaw
Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2. Last week, the open-source crypto-library project warned that a bunch of fixes were incoming, and true enough, Tuesday’s updates address serious flaws that should be installed as soon as possible. CVE-2016-2108 is a curious beast; a hybrid of two low-risk bugs that can be fused into a serious problem. The first is a seemingly innocuous issue with the ASN.1 parser whereby if a zero is re...