CVE-2008-5077: Input Validation

First published: Tue Dec 16 2008(Updated: )

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/openssl	<0:0.9.7a-43.17.el4_7.2	0:0.9.7a-43.17.el4_7.2
redhat/openssl096b	<0:0.9.6b-22.46.el4_7	0:0.9.6b-22.46.el4_7
redhat/openssl	<0:0.9.8b-10.el5_2.1	0:0.9.8b-10.el5_2.1
redhat/openssl097a	<0:0.9.7a-9.el5_2.1	0:0.9.7a-9.el5_2.1
OpenSSL OpenSSL	<=0.9.8h
OpenSSL OpenSSL	=0.9.1c
OpenSSL OpenSSL	=0.9.2b
OpenSSL OpenSSL	=0.9.3
OpenSSL OpenSSL	=0.9.3a
OpenSSL OpenSSL	=0.9.4
OpenSSL OpenSSL	=0.9.5
OpenSSL OpenSSL	=0.9.5-beta1
OpenSSL OpenSSL	=0.9.5-beta2
OpenSSL OpenSSL	=0.9.5a
OpenSSL OpenSSL	=0.9.5a-beta1
OpenSSL OpenSSL	=0.9.5a-beta2
OpenSSL OpenSSL	=0.9.6
OpenSSL OpenSSL	=0.9.6-beta1
OpenSSL OpenSSL	=0.9.6-beta2
OpenSSL OpenSSL	=0.9.6-beta3
OpenSSL OpenSSL	=0.9.6a
OpenSSL OpenSSL	=0.9.6a-beta1
OpenSSL OpenSSL	=0.9.6a-beta2
OpenSSL OpenSSL	=0.9.6a-beta3
OpenSSL OpenSSL	=0.9.6b
OpenSSL OpenSSL	=0.9.6c
OpenSSL OpenSSL	=0.9.6d
OpenSSL OpenSSL	=0.9.6e
OpenSSL OpenSSL	=0.9.6f
OpenSSL OpenSSL	=0.9.6g
OpenSSL OpenSSL	=0.9.6h
OpenSSL OpenSSL	=0.9.6i
OpenSSL OpenSSL	=0.9.6j
OpenSSL OpenSSL	=0.9.6k
OpenSSL OpenSSL	=0.9.6l
OpenSSL OpenSSL	=0.9.6m
OpenSSL OpenSSL	=0.9.7
OpenSSL OpenSSL	=0.9.7-beta1
OpenSSL OpenSSL	=0.9.7-beta2
OpenSSL OpenSSL	=0.9.7-beta3
OpenSSL OpenSSL	=0.9.7-beta4
OpenSSL OpenSSL	=0.9.7-beta5
OpenSSL OpenSSL	=0.9.7-beta6
OpenSSL OpenSSL	=0.9.7a
OpenSSL OpenSSL	=0.9.7b
OpenSSL OpenSSL	=0.9.7c
OpenSSL OpenSSL	=0.9.7d
OpenSSL OpenSSL	=0.9.7e
OpenSSL OpenSSL	=0.9.7f
OpenSSL OpenSSL	=0.9.7g
OpenSSL OpenSSL	=0.9.7h
OpenSSL OpenSSL	=0.9.7i
OpenSSL OpenSSL	=0.9.7j
OpenSSL OpenSSL	=0.9.7k
OpenSSL OpenSSL	=0.9.7l
OpenSSL OpenSSL	=0.9.8
OpenSSL OpenSSL	=0.9.8a
OpenSSL OpenSSL	=0.9.8b
OpenSSL OpenSSL	=0.9.8c
OpenSSL OpenSSL	=0.9.8d
OpenSSL OpenSSL	=0.9.8e
OpenSSL OpenSSL	=0.9.8f
OpenSSL OpenSSL	=0.9.8g

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2009:0004

collector/nvd-index
collector/nvd-historical
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2008-5077
agent/references
agent/author
agent/weakness
agent/severity
agent/description
collector/redhat-cve
agent/software-canonical-lookup
agent/event
agent/tags
collector/mitre-cve
source/MITRE
vendor/openssl
canonical/openssl openssl
version/openssl openssl/0.9.8h
version/openssl openssl/0.9.1c
version/openssl openssl/0.9.2b
version/openssl openssl/0.9.3
version/openssl openssl/0.9.3a
version/openssl openssl/0.9.4
version/openssl openssl/0.9.5
version/openssl openssl/0.9.5-beta1
version/openssl openssl/0.9.5-beta2
version/openssl openssl/0.9.5a
version/openssl openssl/0.9.5a-beta1
version/openssl openssl/0.9.5a-beta2
version/openssl openssl/0.9.6
version/openssl openssl/0.9.6-beta1
version/openssl openssl/0.9.6-beta2
version/openssl openssl/0.9.6-beta3
version/openssl openssl/0.9.6a
version/openssl openssl/0.9.6a-beta1
version/openssl openssl/0.9.6a-beta2
version/openssl openssl/0.9.6a-beta3
version/openssl openssl/0.9.6b
version/openssl openssl/0.9.6c
version/openssl openssl/0.9.6d
version/openssl openssl/0.9.6e
version/openssl openssl/0.9.6f
version/openssl openssl/0.9.6g
version/openssl openssl/0.9.6h
version/openssl openssl/0.9.6i
version/openssl openssl/0.9.6j
version/openssl openssl/0.9.6k
version/openssl openssl/0.9.6l
version/openssl openssl/0.9.6m
version/openssl openssl/0.9.7
version/openssl openssl/0.9.7-beta1
version/openssl openssl/0.9.7-beta2
version/openssl openssl/0.9.7-beta3
version/openssl openssl/0.9.7-beta4
version/openssl openssl/0.9.7-beta5
version/openssl openssl/0.9.7-beta6
version/openssl openssl/0.9.7a
version/openssl openssl/0.9.7b
version/openssl openssl/0.9.7c
version/openssl openssl/0.9.7d
version/openssl openssl/0.9.7e
version/openssl openssl/0.9.7f
version/openssl openssl/0.9.7g
version/openssl openssl/0.9.7h
version/openssl openssl/0.9.7i
version/openssl openssl/0.9.7j
version/openssl openssl/0.9.7k
version/openssl openssl/0.9.7l
version/openssl openssl/0.9.8
version/openssl openssl/0.9.8a
version/openssl openssl/0.9.8b
version/openssl openssl/0.9.8c
version/openssl openssl/0.9.8d
version/openssl openssl/0.9.8e
version/openssl openssl/0.9.8f
version/openssl openssl/0.9.8g
package-manager/redhat

CVE-2008-5077: Input Validation

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact