The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL prior to 1.0.1t and 1.0.2 prior to 1.0.2h allows remote malicious users to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openssl openssl 1.0.2a |
||
openssl openssl 1.0.2e |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.2g |
||
openssl openssl 1.0.2c |
||
openssl openssl 1.0.2 |
||
openssl openssl |
||
openssl openssl 1.0.2f |
||
openssl openssl 1.0.2d |
Two innocent programming blunders breed high-risk flaw
Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2. Last week, the open-source crypto-library project warned that a bunch of fixes were incoming, and true enough, Tuesday’s updates address serious flaws that should be installed as soon as possible. CVE-2016-2108 is a curious beast; a hybrid of two low-risk bugs that can be fused into a serious problem. The first is a seemingly innocuous issue with the ASN.1 parser whereby if a zero is re...