[
Lists Home |
Date Index |
Thread Index
]
Given how the OpenSSL hackers have fared with ASN.1, letting web
service hackers muck about with ASN.1 seems like a poor idea.
Definitely an issue that must be addressed by those advocating use
of ASN.1 as a binary encoding of the XML Infoset.
Tyler
---------- Forwarded Message ----------
Subject: [e-lang] Protocol implementation errors
Date: Thu, 2 Oct 2003 14:50:21 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
Cc: e-lang@mail.eros-os.org
From:
> -- Security Alert Consensus --
> Number 039 (03.39)
> Thursday, October 2, 2003
> Network Computing and the SANS Institute
> Powered by Neohapsis
>
>*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
>
>OpenSSL versions 0.9.6j and 0.9.7b (as well as prior) contain multiple
>bugs in the parsing of ASN.1 data, leading to denials of services. The
>execution of arbitrary code is not yet confirmed, but it has not been
>ruled out.
This is the second significant problem I have seen in applications that use
ASN.1 data formats. (The first was in a widely deployed implementation of
SNMP.) Given that good, security conscience programmers have difficultly
getting ASN.1 parsing right, we should favor protocols that use easier to
parse data formats.
I think this leaves us with SSH. Are there others?
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | "There's nothing so clear as | Periwinkle
(408)356-8506 | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang
-------------------------------------------------------
--
The union of REST and capability-based security:
http://www.waterken.com/dev/Web/
|
