CVSS: 9.8EPSS: 2%CPEs: 161EXPL: 0CVE-2009-2409 – deprecate MD2 in SSL cert validation (Kaminsky)
https://notcve.org/view.php?id=CVE-2009-2409
30 Jul 2009 — The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. La librería Network Security Services (NSS) en versiones anteri... • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 48%CPEs: 8EXPL: 3CVE-2009-1386 – OpenSSL < 0.9.8i - DTLS ChangeCipherSpec Remote Denial of Service
https://notcve.org/view.php?id=CVE-2009-1386
04 Jun 2009 — ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. ssl/s3_pkt.c en OpenSSL anteriores a v0.9.8i permite a los atacantes remotos, causar una denegación de servicios (puntero NULO desreferenciado y caída del "daemon"), a través de un paquete ChangeCipherSpec DTLs que ocurre antes de ClientHello. • https://packetstorm.news/files/id/180494 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 12%CPEs: 8EXPL: 0CVE-2009-1387 – openssl: DTLS out-of-sequence message handling NULL deref DoS
https://notcve.org/view.php?id=CVE-2009-1387
04 Jun 2009 — The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." La función dtls1_retrieve_buffered_fragment en ssl/d1_both.c en OpenSSL anteriores a v1.0.0 Beta 2 permite a los atacantes causar una denegación de servicios (puntero NULO desreferenciado y caída de "daemon") a través de un mensaje "handshake" D... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 4%CPEs: 5EXPL: 2CVE-2009-1378 – OpenSSL: DTLS fragment handling memory DoS
https://notcve.org/view.php?id=CVE-2009-1378
19 May 2009 — Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." Múltiples fugas de memoria en la función dtls1_process_out_of_seq_message en ssl/d1_both.c en OpenSSL v0.9.8k y anteriores permite a atacantes remotos... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 4%CPEs: 1EXPL: 0CVE-2009-1377 – OpenSSL: DTLS epoch record buffer memory DoS
https://notcve.org/view.php?id=CVE-2009-1377
19 May 2009 — The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." La función dtls1_buffer_record en ssl/d1_pkt.c en OpenSSL 0.9.8k y anteriores permite a atacantes remotos producir una denegación de servicio (consumo de memoria) a través de series largas de registros DTLS de "eras futuras... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 12%CPEs: 3EXPL: 0CVE-2009-0590 – openssl: ASN1 printing crash
https://notcve.org/view.php?id=CVE-2009-0590
27 Mar 2009 — The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. La función ASN1_STRING_print_ex en OpenSSL versiones anteriores a v0.9.8k permite a atacantes remotos provocar una denegación de servicio (acceso inválido a memoria y caída de la aplicación) mediante vectores que provocan la impresión de (1) BMPS... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2009-0591
https://notcve.org/view.php?id=CVE-2009-0591
27 Mar 2009 — The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid. La función CMS_verify en OpenSSL v0.9.8h hasta v0.9.8j, cuando se ha habilitado CMS, no maneja adecuadamente los errores asociados con atributos firmados malformados, permitiendo a atacantes remotos rechazar una firma que originalmente ap... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 2%CPEs: 62EXPL: 0CVE-2009-0789
https://notcve.org/view.php?id=CVE-2009-0789
27 Mar 2009 — OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. OpenSSL anterior a v0.9.8k en plataformas WIN64 y otras plataformas no maneja adecuadamente una estructura ASN.1 malformada, permitiendo a atacantes remotos provocar una denegación de servicio (... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc • CWE-189: Numeric Errors •
CVSS: 6.1EPSS: 1%CPEs: 59EXPL: 0CVE-2008-5077 – OpenSSL Incorrect checks for malformed signatures
https://notcve.org/view.php?id=CVE-2008-5077
07 Jan 2009 — OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. OpenSSL 0.9.8i y versiones anteriores no comprueba correctamente el valor de retorno de la función EVP_VerifyFinal, lo que permite a atacantes remotos evitar la validación de la cadena del certificado a través de una firma SSL/TLS mal formada para las claves DSA y ECDSA. • http://lists.apple.com/archives/security-announce/2009/May/msg00002.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 6%CPEs: 3EXPL: 2CVE-2008-1678 – httpd: mod_ssl per-connection memory leak for connections with zlib compression
https://notcve.org/view.php?id=CVE-2008-1678
10 Jul 2008 — Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. Fuga de memoria en la Función zlib_stateful_init en crypto/comp/c_zlib.c en libssl en OpenSSL v0.9.8f a la 0.9.8h, permite a atacantes remotos causar una denegación de servicio (consu... • http://bugs.gentoo.org/show_bug.cgi?id=222643 • CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •