MDVSA-2009:271

Package name

libnasl

Date

2009-10-12

Advisory ID

MDVSA-2009:271

Affected versions

CS4.0 x86_64 , CS4.0 i586

Problem description

A vulnerability has been found and corrected in libnasl:

nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library
(aka libnasl) 2.2.11 does not properly check the return value from
the OpenSSL DSA_do_verify function, which allows remote attackers to
bypass validation of the certificate chain via a malformed SSL/TLS
signature, a similar vulnerability to CVE-2008-5077 (CVE-2009-0125).

This update fixes this vulnerability.

Updated packages

CS4.0 x86_64

 11e767b9e52c2971e416d3c1207cc602  corporate/4.0/x86_64/lib64nasl2-2.2.4-1.1.20060mlcs4.x86_64.rpm
 105602aac8d6f82ea356916778f64c7c  corporate/4.0/x86_64/lib64nasl2-devel-2.2.4-1.1.20060mlcs4.x86_64.rpm 
 727b1ff5b789fcce219553b95e1870a0  corporate/4.0/SRPMS/libnasl-2.2.4-1.1.20060mlcs4.src.rpm

CS4.0 i586

 5d0a75952ac9fa3c8fcf62a00bd072c1  corporate/4.0/i586/libnasl2-2.2.4-1.1.20060mlcs4.i586.rpm
 49a5d1e0e484d36e5fdd31cfeff734b0  corporate/4.0/i586/libnasl2-devel-2.2.4-1.1.20060mlcs4.i586.rpm 
 727b1ff5b789fcce219553b95e1870a0  corporate/4.0/SRPMS/libnasl-2.2.4-1.1.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0125