On September 30, 2003, new vulnerabilities in the
for SSL were announced. This is referred to as the "first" vulnerability in
On November 4, 2003, another vulnerability in the
for SSL, version 0.9.6, was announced. This is referred to as the "second"
vulnerability in this document.
An affected network device running an SSL server based on an affected
OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack
when presented with a malformed certificate by a client. The network device may
be vulnerable to this vulnerability even if it is configured to not
authenticate certificates from the client. There are workarounds available to
mitigate the effects of these vulnerabilities.
This advisory will be posted at