OpenSSL: ASN1 BIO Vulnerability (20120419) (Linux)

OpenSSL is prone to an exploitable vulnerability in the function asn1_d2i_read_bio.

Any application which uses BIO or FILE based functions to read untrusted DER format data is vulnerable. Affected functions are of the form d2i_*_bio or d2i_*_fp, for example d2i_X509_bio or d2i_PKCS12_fp. Applications using the memory based ASN1 functions (d2i_X509, d2i_PKCS12 etc) are not affected. In particular the SSL/TLS code of OpenSSL is *not* affected. Applications only using the PEM routines are not affected. S/MIME or CMS applications using the built in MIME parser SMIME_read_PKCS7 or SMIME_read_CMS *are* affected. The OpenSSL command line utility is also affected if used to process untrusted data in DER format. Note: although an application using the SSL/TLS portions of OpenSSL is not automatically affected it might still call a function such as d2i_X509_bio on untrusted data and be vulnerable.

OpenSSL 0.9.8 through 0.9.8u and 1.0.0 through 1.0.0g and 1.0.1.

Checks if a vulnerable version is present on the target host.

Update to version 0.9.8v, 1.0.0i, 1.0.1a or later.