Linux Today: Linux News On Internet Time.

Widespread vulnerabilities found in programs which use OpenSSL

Jan 09, 2009, 17:03 (10 Talkback[s])

"The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.

"The common mistake is in the checking of return values from functions in OpenSSL that check digital signatures. Programmers have failed to allow for all the possible return values of the EVP_VerifyFinal function, and as a result some cases where the signature has not been successfully checked can be mistakenly treated as successfully verified."

Complete Story

Related Stories: