[ MDKSA-2006:172 ] - Updated openssl packages fix vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:172
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : September 28, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
When the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered.
During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)
Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack. (CVE-2006-2940)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers utility function, used by
some applications such as exim and mysql. An attacker could send a
list of ciphers that would overrun a buffer. (CVE-2006-3738)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. (CVE-2006-4343)
Updated packages are patched to address these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
17e2d82c3f6c0afbf48eccbfbcc17b55
2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm
3a68c653ba0339ba99162459385c72e2
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm
8291bde3bd9aa95533aabc07280203b8
2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm
52b3fbfc1389bcd73e406d6ff741e9dc
2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
b2ce6e6bb7e3114663d3a074d0cc7da5
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm
f7c8dbc2eda0c90547d43661454d1068
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm
7c9ebd9f9179f4e93627dcf0f3442335
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm
17e2d82c3f6c0afbf48eccbfbcc17b55
2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm
3a68c653ba0339ba99162459385c72e2
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm
6ce5832a59b8b67425cb7026ea9dc876
2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm
52b3fbfc1389bcd73e406d6ff741e9dc
2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2007.0:
1bfeff47c8d2f6c020c459881be68207
2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm
1e1a4db54ddfaedb08a6d847422099ff
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm
59c80405f33b2e61ffd3cef025635e21
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm
3a6657970a2e7661bd869d221a69c8da
2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm
aad29e57ddceb66105af5d6434de9a62
2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
af679c647d97214244a8423dc1a766b7
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm
d7b1ed07df4115b3bcc3907e00d25a89
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm
5bd3ece2c0ec7a3201c29fa84e25a75a
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm
9b028020dba009eddbf06eeb8607b87f
2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm
aad29e57ddceb66105af5d6434de9a62
2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Corporate 3.0:
c99ea58f6f4959a4c36398cc6b2b4ee2
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
98a925c5ba2ecc9d704b1e730035755e
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm
151493a50693e3b9cc67bfafadb9ce42
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm
82b4709bdbb9128746887013a724356a
corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm
a5bdbe6afa52005a734dc18aa951677d
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 3.0/X86_64:
01a922d80d6fc9d1b36dde15ee27747e
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm
30268f0b70862d1f5998694ac8b4addc
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm
e0388ff1efa34ea55d033e95b4e9bb63
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm
c99ea58f6f4959a4c36398cc6b2b4ee2
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm
83759622f0cc8ea9c0f6d32671283354
corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm
a5bdbe6afa52005a734dc18aa951677d
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 4.0:
6d71d2358738be9967b2dfe19d3642f1
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm
22890554d3096ce596eeec7393ee3fcf
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
679fe740859fa35b2bb77b19c4a0e787
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
d8477333b67ec3a36ba46c50e6183993
corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm
b65dbbd9fb3d74d302478640476a2cd2
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
746e5e916d1e05379373138a5db20923
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm
a2b1d750075a32fe8badbdf1f7febafe
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm
47c464cf890a004f772c1db3e839fa12
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm
6d71d2358738be9967b2dfe19d3642f1
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm
22890554d3096ce596eeec7393ee3fcf
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
679fe740859fa35b2bb77b19c4a0e787
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm
1030a6124a9fa4fd5a41bdff077301bf
corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm
b65dbbd9fb3d74d302478640476a2cd2
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
19055eda58e1f75814e594ce7709a710
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm
abfe548617969f619aec5b0e807f1f67
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm
92e7515c9125367a79fdb490f5b39cd4
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm
847eecb1d07e4cab3d1de1452103c3a0
mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm
b6b67fa82d7119cde7ab7816aed17059
mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFHA4hmqjQ0CJFipgRApknAJ9Ybd8xjfkR+RL1fWEI2Fgn/KIuqACeOH/0
wB09L3fylyiHgrXvSV6VL7A=
=/+dm
-----END PGP SIGNATURE-----