I am using openssl-0.9.7c for my application. Recently I came acroos the security update for the following
ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940)
==============================================================
Vulnerability
-------------
Dr. S. N. Henson recently developed an ASN.1 test suite for NISCC
(www.niscc.gov.uk). When the test suite was run against OpenSSL two
denial of service vulnerabilities were discovered:
1. During the parsing of certain invalid ASN.1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory (CVE-2006-2937). (This issue did not affect
OpenSSL versions prior to 0.9.7)
2. Certain types of public key can take disproportionate amounts of
time to process. This could be used by an attacker in a denial of
service attack (CVE-2006-2940).
Any code which uses OpenSSL to parse ASN.1 data from untrusted sources
is affected. This includes SSL servers which enable client
authentication and S/MIME applications.
The above Vulnerability has been resolved in openssl-0.9.7l.
I want to apply the patch to my openssl-0.9.7c code rather than taking the new openssl-0.9.7l.
How can I get the Patch for the above vulnerability for openssl-0.9.7c.
Can anyone suggest me a patch or name the files to be modified / back ported.
regards,
Sudhir Voona
