English | Deutsch | Español
 
Inicial ▼
Página inicial Acerca Nuestro Contáctenos Privacidad Programas de Asociados Testimonios En la Prensa Listas de Correos Abuso Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
 
Auditorias ▼
Inicial Dedicada Avanzada Estándar Periódica Sin Riesgo Escritorio Básica Sello FAQ Resumen de Precio/Funciones Ordenar Nuevas Pruebas Todas las Pruebas Confidencialidad Búsqueda de Vulnerabilidad Ejecutar Auditoría Programador IP Permissions Auditorías Personalizadas Cola Recordatorio Sellos Informes Estilos de Informes
DNS
Administrado ▼
Acerca de DNS Ordenar/Renovar Preguntas Frecuentes AUP Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password
Monitoreo
de Redes ▼
Enterprise Avanzado Estándarr Prueba Preguntas Frecuentes Resumen de Precio/Funciones Ordenar Muestras
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Iniciar sesión/Registrarse 
 
 Búsqueda de    
Vulnerabilidad   		     Buscar 219043 Descripciones CVE y
99761 Descripciones de Pruebas,
accesos 10,000+ referencias cruzadas.
Pruebas   CVE   Todos  

ID de Prueba:1.3.6.1.4.1.25623.1.0.55605
Categoría:Mandrake Local Security Checks
Título:Mandrake Security Advisory MDKSA-2005:179 (openssl)
Resumen:NOSUMMARY
Descripción:Description:

The remote host is missing an update to openssl
announced via advisory MDKSA-2005:179.

Yutaka Oiwa discovered vulnerability potentially affects applications
that use the SSL/TLS server implementation provided by OpenSSL.

Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in third-
party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
the SSL 2.0 server supposed to prevent active protocol-version rollback
attacks. With this verification step disabled, an attacker acting as
a man in the middle can force a client and a server to negotiate the
SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0.
The SSL 2.0 protocol is known to have severe cryptographic weaknesses
and is supported as a fallback only. (CVE-2005-2969)

The current default algorithm for creating message digests
(electronic signatures) for certificates created by openssl is MD5.
However, this algorithm is not deemed secure any more, and some
practical attacks have been demonstrated which could allow an attacker
to forge certificates with a valid certification authority signature
even if he does not know the secret CA signing key.

To address this issue, openssl has been changed to use SHA-1 by
default. This is a more appropriate default algorithm for the majority
of use cases. If you still want to use MD5 as default, you can revert
this change by changing the two instances of default_md = sha1 to
default_md = md5 in /usr/{lib,lib64}/ssl/openssl.cnf. (CVE-2005-2946)

Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0,
Corporate Server 2.1,

Multi Network Firewall 2.0


Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDKSA-2005:179

Risk factor : Medium

CVSS Score:
5.0

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2005-2969
http://docs.info.apple.com/article.html?artnum=302847
BugTraq ID: 15071
http://www.securityfocus.com/bid/15071
BugTraq ID: 15647
http://www.securityfocus.com/bid/15647
BugTraq ID: 24799
http://www.securityfocus.com/bid/24799
Cisco Security Advisory: 20051202 Cisco Security Notice: Response to OpenSSL - Potential SSL 2.0 Rollback
http://www.cisco.com/warp/public/707/cisco-response-20051202-openssl.shtml
Debian Security Information: DSA-875 (Google Search)
http://www.debian.org/security/2005/dsa-875
Debian Security Information: DSA-881 (Google Search)
http://www.debian.org/security/2005/dsa-881
Debian Security Information: DSA-882 (Google Search)
http://www.debian.org/security/2005/dsa-882
FreeBSD Security Advisory: FreeBSD-SA-05:21
HPdes Security Advisory: HPSBUX02174
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
HPdes Security Advisory: HPSBUX02186
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540
HPdes Security Advisory: SSRT061239
HPdes Security Advisory: SSRT071299
http://www.mandriva.com/security/advisories?name=MDKSA-2005:179
ftp://ftp.software.ibm.com/pc/pccbbs/pc_servers/dir5.10.3_docs_relnotes.pdf
http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754
http://www.juniper.net/support/security/alerts/PSN-2005-12-025.txt
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11454
http://www.redhat.com/support/errata/RHSA-2005-762.html
http://www.redhat.com/support/errata/RHSA-2005-800.html
http://www.redhat.com/support/errata/RHSA-2008-0629.html
http://securitytracker.com/id?1015032
http://secunia.com/advisories/17146
http://secunia.com/advisories/17151
http://secunia.com/advisories/17153
http://secunia.com/advisories/17169
http://secunia.com/advisories/17178
http://secunia.com/advisories/17180
http://secunia.com/advisories/17189
http://secunia.com/advisories/17191
http://secunia.com/advisories/17210
http://secunia.com/advisories/17259
http://secunia.com/advisories/17288
http://secunia.com/advisories/17335
http://secunia.com/advisories/17344
http://secunia.com/advisories/17389
http://secunia.com/advisories/17409
http://secunia.com/advisories/17432
http://secunia.com/advisories/17466
http://secunia.com/advisories/17589
http://secunia.com/advisories/17617
http://secunia.com/advisories/17632
http://secunia.com/advisories/17813
http://secunia.com/advisories/17888
http://secunia.com/advisories/18045
http://secunia.com/advisories/18123
http://secunia.com/advisories/18165
http://secunia.com/advisories/18663
http://secunia.com/advisories/19185
http://secunia.com/advisories/21827
http://secunia.com/advisories/23280
http://secunia.com/advisories/23340
http://secunia.com/advisories/23843
http://secunia.com/advisories/23915
http://secunia.com/advisories/25973
http://secunia.com/advisories/26893
http://secunia.com/advisories/31492
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101974-1
SuSE Security Announcement: SUSE-SA:2005:061 (Google Search)
http://www.novell.com/linux/security/advisories/2005_61_openssl.html
http://lists.trustix.org/pipermail/tsl-announce/2005-October/000354.html
http://www.vupen.com/english/advisories/2005/2036
http://www.vupen.com/english/advisories/2005/2659
http://www.vupen.com/english/advisories/2005/2710
http://www.vupen.com/english/advisories/2005/2908
http://www.vupen.com/english/advisories/2005/3002
http://www.vupen.com/english/advisories/2005/3056
http://www.vupen.com/english/advisories/2006/3531
http://www.vupen.com/english/advisories/2007/0326
http://www.vupen.com/english/advisories/2007/0343
http://www.vupen.com/english/advisories/2007/2457
XForce ISS Database: hitachi-hicommand-security-bypass(35287)
https://exchange.xforce.ibmcloud.com/vulnerabilities/35287
Common Vulnerability Exposure (CVE) ID: CVE-2005-2946
http://www.cits.rub.de/MD5Collisions/
https://bugzilla.ubuntu.com/show_bug.cgi?id=13593
http://www.ubuntu.com/usn/usn-179-1
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.

Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.



© 1998-2024 E-Soft Inc. Todos los derechos reservados.