MDKSA-2005:179 - Updated openssl packages fix vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2005:179
Date: October 11th, 2005
Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0,
Corporate Server 2.1,
Multi Network Firewall 2.0
______________________________________________________________________
Problem Description:
Yutaka Oiwa discovered vulnerability potentially affects applications
that use the SSL/TLS server implementation provided by OpenSSL.
Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in third-
party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
the SSL 2.0 server supposed to prevent active protocol-version rollback
attacks. With this verification step disabled, an attacker acting as
a "man in the middle" can force a client and a server to negotiate the
SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0.
The SSL 2.0 protocol is known to have severe cryptographic weaknesses
and is supported as a fallback only. (CAN-2005-2969)
The current default algorithm for creating "message digests"
(electronic signatures) for certificates created by openssl is MD5.
However, this algorithm is not deemed secure any more, and some
practical attacks have been demonstrated which could allow an attacker
to forge certificates with a valid certification authority signature
even if he does not know the secret CA signing key.
To address this issue, openssl has been changed to use SHA-1 by
default. This is a more appropriate default algorithm for the majority
of use cases. If you still want to use MD5 as default, you can revert
this change by changing the two instances of "default_md = sha1" to
"default_md = md5" in /usr/{lib,lib64}/ssl/openssl.cnf. (CAN-2005-2946)
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2946
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
______________________________________________________________________
Updated Packages:
Mandrivalinux 10.1:
2fa715275a4a918b15eb02e402b755bc
10.1/RPMS/libopenssl0.9.7-0.9.7d-1.3.101mdk.i586.rpm
1912f9be0eccc4b2903616ac2c0d5103
10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.3.101mdk.i586.rpm
4d51641d38b5e0e8c6be5fcc211ffa3b
10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.3.101mdk.i586.rpm
6e40220d7461ad8e711aa2ee5a772b1f 10.1/RPMS/openssl-0.9.7d-1.3.101mdk.i586.rpm
abb721aa2ccf15e555c4f84981366022 10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Mandrivalinux 10.1/X86_64:
5b820a306004c31fcac518aec78bfea3
x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.3.101mdk.x86_64.rpm
4b506c7086fd330fde0fe724a5bd865c
x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.3.101mdk.x86_64.rpm
9fb820e394e6da5db74a60d7062a6c23
x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.3.101mdk.x86_64.rpm
f113ec9a24627d354eaa37db78784d31
x86_64/10.1/RPMS/openssl-0.9.7d-1.3.101mdk.x86_64.rpm
abb721aa2ccf15e555c4f84981366022
x86_64/10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Mandrivalinux 10.2:
7448f1bd46305af8ca09c794828bc14d
10.2/RPMS/libopenssl0.9.7-0.9.7e-5.2.102mdk.i586.rpm
dd17f238c7c4eeb93f330794d28fef20
10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.2.102mdk.i586.rpm
4d6b82c86b3b7430273e9f7804b448f3
10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.2.102mdk.i586.rpm
ec6b0d749ed3f7c8b2ee48cea5c104f5 10.2/RPMS/openssl-0.9.7e-5.2.102mdk.i586.rpm
14554b0fff0abfe1da54b8f9c68c8a75 10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandrivalinux 10.2/X86_64:
a34fa268399bce8d59b185df255f1d19
x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.2.102mdk.x86_64.rpm
3f403f1c36d53bb35174c04badbea2d9
x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.2.102mdk.x86_64.rpm
68d2a4a298fd37719343c4ade853e22d
x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.2.102mdk.x86_64.rpm
8b53d1949aa30ca813f27c5dd3bb1062
x86_64/10.2/RPMS/openssl-0.9.7e-5.2.102mdk.x86_64.rpm
14554b0fff0abfe1da54b8f9c68c8a75
x86_64/10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandrivalinux 2006.0:
bc7f3ba61af3334757c65e1682eb0065
2006.0/RPMS/libopenssl0.9.7-0.9.7g-2.1.20060mdk.i586.rpm
a15b20362dd7437ff974642af0756d79
2006.0/RPMS/libopenssl0.9.7-devel-0.9.7g-2.1.20060mdk.i586.rpm
65bab77540badadc2152d7803d13c63f
2006.0/RPMS/libopenssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.i586.rpm
d06fa459cf871d890bf3a4ff22b85cd7
2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.i586.rpm
fc0ed1a9eab0dfdb3f35c3cdb46004e8
2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
Mandrivalinux 2006.0/X86_64:
3b54d300cf1b6889d764e36660d3542d
x86_64/2006.0/RPMS/lib64openssl0.9.7-0.9.7g-2.1.20060mdk.x86_64.rpm
aa8e520156a9d878ed43179dfcc5210f
x86_64/2006.0/RPMS/lib64openssl0.9.7-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
8bece33914331ad81e9e88dfef1b4319
x86_64/2006.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
4a654cfa16e31f450493e59de0cb372c
x86_64/2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.x86_64.rpm
fc0ed1a9eab0dfdb3f35c3cdb46004e8
x86_64/2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
Multi Network Firewall 2.0:
60451a13eb787c55a9463322b6bdb419
mnf/2.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.M20mdk.i586.rpm
3a5dae5ff129437461180df9a8dd5b0b
mnf/2.0/RPMS/openssl-0.9.7c-3.3.M20mdk.i586.rpm
c89dcc035040ed512ab2823b978b5205
mnf/2.0/SRPMS/openssl-0.9.7c-3.3.M20mdk.src.rpm
Corporate Server 2.1:
7ce23e8906c2001f93afdbdb544a5659
corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.i586.rpm
26e569e8dd0598bd5f55d1a954989e7b
corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.i586.rpm
c54a45b3cf589095382c1399f0435353
corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.i586.rpm
bc5ff8f4e044678c40b5bae08b263216
corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.i586.rpm
6fa6d2e82bffdf044663ccd40b14bba3
corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
4b85f119fb4908f785ee5e4cd6f81312
x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.x86_64.rpm
d366f2f72a511fbb4887de0d17303339
x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
b3a4d7295c802dc5a486022bffe8f8aa
x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
cd0e605ae88e746d8124f550ff26c723
x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.x86_64.rpm
6fa6d2e82bffdf044663ccd40b14bba3
x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate 3.0:
e77b2aeadf368cac390fda472f96f76d
corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.C30mdk.i586.rpm
e3e077097643c9247b0e866c0ea08c9d
corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.3.C30mdk.i586.rpm
eb61ee6a8464a43e951102fa5a9df4b0
corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.i586.rpm
fa6ce3b5dc685d567040061676d047ba
corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.i586.rpm
502e04472212778c866211c6179f4127
corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
bdc1b94ef64f4c0c02948d8ec08184b1
x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.3.C30mdk.x86_64.rpm
f2b65309719e499eb1a9d9f857c51921
x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
48e9d2cd78e4a44a4bd61542a47f2d5b
x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
3aef366b6921b180f304ae1a8c10ba78
x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.x86_64.rpm
502e04472212778c866211c6179f4127
x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDTKeomqjQ0CJFipgRAu3NAKDlk6fzLxUqtjUzDcV7IkgF/vKLdQCgwCki
DUI4033wSRXeFbCegR++iRo=
=7gQt
-----END PGP SIGNATURE-----