MDKSA-2004:147 - Updated openssl packages fix temporary file vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MDKSA-2004:147 - Updated openssl packages fix temporary file vulnerability
From: Mandrake Linux Security Team <security@xxxxxxxxxxxxxxxxxx>
Date: 7 Dec 2004 02:49:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           openssl
 Advisory ID:            MDKSA-2004:147
 Date:                   December 6th, 2004

 Affected versions:      10.0, 10.1, 9.2, Corporate Server 2.1,
                         Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 The Trustix developers found that the der_chop script, included in the
 openssl package, created temporary files insecurely.  This could allow
 local users to overwrite files using a symlink attack.
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 c0d41b5423a09f01decc40e84fd005cb  
10.0/RPMS/libopenssl0.9.7-0.9.7c-3.1.100mdk.i586.rpm
 82b573c6825f9a3abdd8a23da2fe7c2c  
10.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.1.100mdk.i586.rpm
 7c4e0ddd161ae064928c3f3563a2dc4e  
10.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.1.100mdk.i586.rpm
 d4d97f7b45004bd8d69ef90bce972442  10.0/RPMS/openssl-0.9.7c-3.1.100mdk.i586.rpm
 f09ed46ce152ac3396ce5a4a4b2036d0  10.0/SRPMS/openssl-0.9.7c-3.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 d9d9037cf0170a9e6ef1702f3e786b8a  
amd64/10.0/RPMS/lib64openssl0.9.7-0.9.7c-3.1.100mdk.amd64.rpm
 cfa623fa40be35d5cc99053bafd625c1  
amd64/10.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.1.100mdk.amd64.rpm
 0098601eae49e65ee1fae0283bc4ffff  
amd64/10.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.1.100mdk.amd64.rpm
 06d845c07b46356cef699f94a67b9bc0  
amd64/10.0/RPMS/openssl-0.9.7c-3.1.100mdk.amd64.rpm
 f09ed46ce152ac3396ce5a4a4b2036d0  
amd64/10.0/SRPMS/openssl-0.9.7c-3.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 ae229d9586ea295545e577960ecfc9d5  
10.1/RPMS/libopenssl0.9.7-0.9.7d-1.1.101mdk.i586.rpm
 66d4393ab8ad6c72242fe03676d452bb  
10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.1.101mdk.i586.rpm
 003f9c7ba693314fe0cfd5c91f0d154b  
10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.1.101mdk.i586.rpm
 00e24e1fa79a339a5e1a92d9c2996082  10.1/RPMS/openssl-0.9.7d-1.1.101mdk.i586.rpm
 5c453b0349f604e2955a889f624982d6  10.1/SRPMS/openssl-0.9.7d-1.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 45a998be7caf5d54a7a8a106e2e6cf9a  
x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.1.101mdk.x86_64.rpm
 000606c0fde3660e4c623f1ddb319e47  
x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.1.101mdk.x86_64.rpm
 f75779760ee204bbfaab4173575964cd  
x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.1.101mdk.x86_64.rpm
 81457d174401f6033cb03a9404145278  
x86_64/10.1/RPMS/openssl-0.9.7d-1.1.101mdk.x86_64.rpm
 5c453b0349f604e2955a889f624982d6  
x86_64/10.1/SRPMS/openssl-0.9.7d-1.1.101mdk.src.rpm

 Corporate Server 2.1:
 63355bf82d2b54f08a970383c9c5192c  
corporate/2.1/RPMS/libopenssl0-0.9.6i-1.8.C21mdk.i586.rpm
 9d557d9105a7a2d1b1026543d6fedf2c  
corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.8.C21mdk.i586.rpm
 0929ca75a91cd5c4f553329aa7e818a8  
corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.8.C21mdk.i586.rpm
 2cd8e70cc5c66c4797392e4ea3a0348f  
corporate/2.1/RPMS/openssl-0.9.6i-1.8.C21mdk.i586.rpm
 337b3ad1c49fc5e91f2d72ea6a493868  
corporate/2.1/SRPMS/openssl-0.9.6i-1.8.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 1fb93ddabdccd9edd724e7d6818e7299  
x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.8.C21mdk.x86_64.rpm
 acfe2f603298bae71c4f35a928d9ba88  
x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.8.C21mdk.x86_64.rpm
 daf31defd9c4b27bf28581bd7ed7fd2c  
x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.8.C21mdk.x86_64.rpm
 cade4a4db47d263c6660591d1bf9d5a1  
x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.8.C21mdk.x86_64.rpm
 337b3ad1c49fc5e91f2d72ea6a493868  
x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.8.C21mdk.src.rpm

 Mandrakelinux 9.2:
 f014f2318e559b7cfc5fc5bd2a010b67  
9.2/RPMS/libopenssl0.9.7-0.9.7b-5.1.92mdk.i586.rpm
 db4c7a4d97015c04a03ed69fa8d9c941  
9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-5.1.92mdk.i586.rpm
 1368b0bf03dcebb17b6f1d5359411d8b  
9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-5.1.92mdk.i586.rpm
 369d6104e62dc23e23c2d9f05e0d03db  9.2/RPMS/openssl-0.9.7b-5.1.92mdk.i586.rpm
 9389817df3eb169e26536635c129e853  9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 a0f963c1ab90037dcdf57dba1337e48d  
amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-5.1.92mdk.amd64.rpm
 587ef4344175ab4532e0e569ea733df3  
amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-5.1.92mdk.amd64.rpm
 4638c1af2de29459e2c1fae27fd28659  
amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-5.1.92mdk.amd64.rpm
 18d875fb53f6b5c0adfc22fed5193645  
amd64/9.2/RPMS/openssl-0.9.7b-5.1.92mdk.amd64.rpm
 9389817df3eb169e26536635c129e853  
amd64/9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 eeaeae17ef647b22de71170105190f87  
mnf8.2/RPMS/libopenssl0-0.9.6i-1.7.M82mdk.i586.rpm
 b3ffacae8b78391fcc30267a3f252223  
mnf8.2/RPMS/openssl-0.9.6i-1.7.M82mdk.i586.rpm
 aa558b895ae77092ae29dec127a5a2a0  
mnf8.2/SRPMS/openssl-0.9.6i-1.7.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBtRpPmqjQ0CJFipgRAnLGAJ40aJv0gDgCf/7QiE5gDyAYQKJb3QCgoNqJ
MnN19RFVMvpGf4RIRSM1/f4=
=ZLB+
-----END PGP SIGNATURE-----

Prev by Date: IE6 Vulnerability - Local File Detection
Next by Date: [ GLSA 200412-04 ] Perl: Insecure temporary file creation
Previous by thread: Re: IE6 Vulnerability - Local File Detection
Next by thread: [ GLSA 200412-04 ] Perl: Insecure temporary file creation
Index(es):
- Date
- Thread