Note: This is an archival copy of Security Sun Alert 258048 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1020423.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
A Security Vulnerability in the ASN.1 Handling in Solaris OpenSSL May Lead to a Denial of Service (DoS) Condition
A security vulnerability in the ASN.1 handling in the OpenSSL product (see openssl(5)) shipped with Solaris may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to applications calling the "ASN1_STRING_print_ex()" printing function.
Additional information regarding this issue can be found in the following document:
CVE-2009-0590 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590
2. Contributing Factors
This issue can occur in the following releases:
1. Solaris 8 and Solaris 9 are not impacted by this issue.
2. Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software. For example: commands such as openssl(1) and servers such as PostgreSQL are known to be vulnerable to this issue.
3. Solaris Secure Shell (SSH), Firefox and Thunderbird distributed with Solaris are not vulnerable to this issue.
OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:
$ uname -v
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
04-May-2009: Added additional "Notes" to Contributing Factors
08-Jun-2009: Updated Contributing Factors and Resolution sections; Resolved
This solution has no attachment