<<< Date Index >>>     <<< Thread Index >>>

[ MDKSA-2006:172-1 ] - Updated openssl packages fix vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                       MDKSA-2006:172-1
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openssl
 Date    : October 2, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Dr S N Henson of the OpenSSL core team and Open Network Security
 recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
 When the test suite was run against OpenSSL two denial of service
 vulnerabilities were discovered.

 During the parsing of certain invalid ASN1 structures an error
 condition is mishandled. This can result in an infinite loop which
 consumes system memory. (CVE-2006-2937)

 Certain types of public key can take disproportionate amounts of time
 to process. This could be used by an attacker in a denial of service
 attack. (CVE-2006-2940)

 Tavis Ormandy and Will Drewry of the Google Security Team discovered a
 buffer overflow in the SSL_get_shared_ciphers utility function, used by
 some applications such as exim and mysql.  An attacker could send a
 list of ciphers that would overrun a buffer. (CVE-2006-3738)

 Tavis Ormandy and Will Drewry of the Google Security Team discovered a
 possible DoS in the sslv2 client code.  Where a client application uses
 OpenSSL to make a SSLv2 connection to a malicious server that server
 could cause the client to crash. (CVE-2006-4343)

 Updated packages are patched to address these issues.

 Update:

 There was an error in the original published patches for CVE-2006-2940.
 New packages have corrected this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 5e48a8d9a6a03a045b6d0d2b6903dc5b  
2006.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm
 f86f3a2efd19ff5fb1600212cbd8e463  
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm
 73b99c1a8a34fe3c2279c09c4f385804  
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm
 526fcd69e1a1768c82afd573dc16982f  
2006.0/i586/openssl-0.9.7g-2.5.20060mdk.i586.rpm 
 441a806fc8a50f74f5b4bcfce1fc8f66  
2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 54ed69fc4976d3c0953eeebd3c10471a  
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mdk.x86_64.rpm
 632fbe5eaff684ec2f27da4bbe93c4f6  
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mdk.x86_64.rpm
 04dbe52bda3051101db73fabe687bd7e  
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.x86_64.rpm
 5e48a8d9a6a03a045b6d0d2b6903dc5b  
2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm
 f86f3a2efd19ff5fb1600212cbd8e463  
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm
 73b99c1a8a34fe3c2279c09c4f385804  
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm
 ca169246cc85db55839b265b90e8c842  
2006.0/x86_64/openssl-0.9.7g-2.5.20060mdk.x86_64.rpm 
 441a806fc8a50f74f5b4bcfce1fc8f66  
2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 db68f8f239604fb76a0a10c70104ef61  
2007.0/i586/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm
 26a4de823aee08e40d28ed7e6ff5b2ff  
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 ab949cf85296ceae864f83fbbac2b55a  
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 a97c6033a33fabcd5509568304b7a988  
2007.0/i586/openssl-0.9.8b-2.2mdv2007.0.i586.rpm 
 78964615b7bd71028671257640be3bc5  
2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 1895971ef1221056075c4ee3d4aaac72  
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.2mdv2007.0.x86_64.rpm
 cfd59201e5e9c436f42b969b4aa567f1  
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm
 36da85c76eddf95feeb3f4b792528483  
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm
 db68f8f239604fb76a0a10c70104ef61  
2007.0/x86_64/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm
 26a4de823aee08e40d28ed7e6ff5b2ff  
2007.0/x86_64/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 ab949cf85296ceae864f83fbbac2b55a  
2007.0/x86_64/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 e3aebeae455a0820c5f28483bd6d3fa5  
2007.0/x86_64/openssl-0.9.8b-2.2mdv2007.0.x86_64.rpm 
 78964615b7bd71028671257640be3bc5  
2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm

 Corporate 3.0:
 7f60837e42b45ce50f365ec1372d6aeb  
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm
 1e7834f6f0fe000f8f00ff49ee6f7ea0  
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.C30mdk.i586.rpm
 6c86220445ef34c2dadadc3e00701885  
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.i586.rpm
 c25c4042a91b6e7bf9aae1aa2fea32a5  
corporate/3.0/i586/openssl-0.9.7c-3.7.C30mdk.i586.rpm 
 2c47b1604aa89033799b1ead4bcebe01  
corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 52dfd4d10e00c9bd0944e4486190de93  
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.7.C30mdk.x86_64.rpm
 258a19afc44dadfaa00d0ebd8b3c0df4  
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.7.C30mdk.x86_64.rpm
 cd5cc151e476552be549c6a37b8a71ea  
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.x86_64.rpm
 7f60837e42b45ce50f365ec1372d6aeb  
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm
 492fcc0df9172557a3297d0082321d4d  
corporate/3.0/x86_64/openssl-0.9.7c-3.7.C30mdk.x86_64.rpm 
 2c47b1604aa89033799b1ead4bcebe01  
corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm

 Corporate 4.0:
 76b3078e53be2ddc019bee74ccb1f39e  
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm
 0aa4ca3b0d2925255650fb90132d7aad  
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 86dc91f1701293f3319a833746bbe421  
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 daa6c3473f59405778dedd02de73fcc9  
corporate/4.0/i586/openssl-0.9.7g-2.5.20060mlcs4.i586.rpm 
 a8d2a946d266a94c6d46537ad78b18fa  
corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 b5ae71aacd5b99be9e9327d58da29230  
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 89296e03778a198940c1c413e44b9f45  
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 cb17a0d801c1181ab380472b8ffb085e  
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 76b3078e53be2ddc019bee74ccb1f39e  
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm
 0aa4ca3b0d2925255650fb90132d7aad  
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 86dc91f1701293f3319a833746bbe421  
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 8d9a55afdc6d930916bac00fd4c4739b  
corporate/4.0/x86_64/openssl-0.9.7g-2.5.20060mlcs4.x86_64.rpm 
 a8d2a946d266a94c6d46537ad78b18fa  
corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 cd7ad7e95ce17995dfa8129ebe517049  
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.7.M20mdk.i586.rpm
 11771240baebdc6687af70a8a0f2ffd2  
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.M20mdk.i586.rpm
 8f672bc81b9528598a8560d876612bfa  
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.M20mdk.i586.rpm
 214f857a36e5c3e600671b7291cd08ae  
mnf/2.0/i586/openssl-0.9.7c-3.7.M20mdk.i586.rpm 
 bbb299fd643ccbfbdc1a48b12c7005ce  
mnf/2.0/SRPMS/openssl-0.9.7c-3.7.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFIU7bmqjQ0CJFipgRAuYAAKCZlwMqJzrVCpKYdEqs+UiyM6WrSQCfeIv3
mAaLoEPfjUca1TR98vgpZUU=
=Ff9O
-----END PGP SIGNATURE-----