OpenSSL 0.9.6e 30 Jul 2002

Dean Richard Benson dean at
Tue Jul 30 05:53:46 PDT 2002

As per the subject, new version of OpenSSL has been released today.

Quick snippet fyi:


All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a
    buffer. This vulnerability was also independently discovered by
    consultants at Neohapsis ( who have also
    demonstrated that the vulerability is exploitable. Exploit code is
    NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
    overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
    overrun a stack-based buffer. This issues only affects OpenSSL
    0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
    small on 64 bit platforms.

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue
3, and CAN-2002-0655 to issue 4.

In addition various potential buffer overflows not known to be
exploitable have had assertions added to defend against them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <>

More information about the lfs-security mailing list