Summary
The remote host is missing updates announced in
advisory SUSE-SA:2009:006.
Solution
Update your system with the packages as indicated in the referenced security advisory.
https://secure1.securityspace.com/smysecure/catid.html?in=SUSE-SA:2009:006
Insight
The OpenSSL certificate checking routines EVP_VerifyFinal can return negative values and 0 on failure. In some places negative values were not checked and considered successful verification.
Prior to this update it was possible to bypass the certification chain checks of openssl.
This advisory is for the updates that improve the verification of return values inside the OpenSSL library itself.
Several client programs also need to receive fixes to check that return value.
A bind update which fixes this was already released yesterday, tracked in SUSE-SA:2009:005.
A boinc-client and libnasl update was also released yesterday.
Updates for ntp,xntp, and eID-Belgium are being prepared.
Severity
Classification
-
CVE CVE-2008-5077 -
CVSS Base Score: 5.8
AV:N/AC:M/Au:N/C:N/I:P/A:P
Related Vulnerabilities