[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [ MDKSA-2006:172 ] - Updated openssl packages fix vulnerabilities
From: security () mandriva ! com
Date: 2006-09-28 21:14:01
Message-ID: E1GT3Cj-0001Vs-OJ () mercury ! mandriva ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:172
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : September 28, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
When the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered.
During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)
Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack. (CVE-2006-2940)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers utility function, used by
some applications such as exim and mysql. An attacker could send a
list of ciphers that would overrun a buffer. (CVE-2006-3738)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. (CVE-2006-4343)
Updated packages are patched to address these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
17e2d82c3f6c0afbf48eccbfbcc17b55 \
2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm \
8c3f89e1900f069d4a4ad3162a9f7d78 \
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm \
3a68c653ba0339ba99162459385c72e2 \
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm \
8291bde3bd9aa95533aabc07280203b8 2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm \
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
b2ce6e6bb7e3114663d3a074d0cc7da5 \
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm \
f7c8dbc2eda0c90547d43661454d1068 \
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm \
7c9ebd9f9179f4e93627dcf0f3442335 \
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm \
17e2d82c3f6c0afbf48eccbfbcc17b55 \
2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm \
8c3f89e1900f069d4a4ad3162a9f7d78 \
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm \
3a68c653ba0339ba99162459385c72e2 \
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm \
6ce5832a59b8b67425cb7026ea9dc876 \
2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm \
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2007.0:
1bfeff47c8d2f6c020c459881be68207 \
2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm \
1e1a4db54ddfaedb08a6d847422099ff \
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm \
59c80405f33b2e61ffd3cef025635e21 \
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm \
3a6657970a2e7661bd869d221a69c8da 2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm \
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
af679c647d97214244a8423dc1a766b7 \
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm \
d7b1ed07df4115b3bcc3907e00d25a89 \
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm \
5bd3ece2c0ec7a3201c29fa84e25a75a \
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm \
9b028020dba009eddbf06eeb8607b87f \
2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm \
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Corporate 3.0:
c99ea58f6f4959a4c36398cc6b2b4ee2 \
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm \
98a925c5ba2ecc9d704b1e730035755e \
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm \
151493a50693e3b9cc67bfafadb9ce42 \
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm \
82b4709bdbb9128746887013a724356a \
corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm \
a5bdbe6afa52005a734dc18aa951677d \
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 3.0/X86_64:
01a922d80d6fc9d1b36dde15ee27747e \
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm \
30268f0b70862d1f5998694ac8b4addc \
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm \
e0388ff1efa34ea55d033e95b4e9bb63 \
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm \
c99ea58f6f4959a4c36398cc6b2b4ee2 \
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm \
83759622f0cc8ea9c0f6d32671283354 \
corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm \
a5bdbe6afa52005a734dc18aa951677d \
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 4.0:
6d71d2358738be9967b2dfe19d3642f1 \
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm \
22890554d3096ce596eeec7393ee3fcf \
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
679fe740859fa35b2bb77b19c4a0e787 \
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
d8477333b67ec3a36ba46c50e6183993 \
corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm \
b65dbbd9fb3d74d302478640476a2cd2 \
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
746e5e916d1e05379373138a5db20923 \
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
a2b1d750075a32fe8badbdf1f7febafe \
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
47c464cf890a004f772c1db3e839fa12 \
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
6d71d2358738be9967b2dfe19d3642f1 \
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm \
22890554d3096ce596eeec7393ee3fcf \
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
679fe740859fa35b2bb77b19c4a0e787 \
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
1030a6124a9fa4fd5a41bdff077301bf \
corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
b65dbbd9fb3d74d302478640476a2cd2 \
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
19055eda58e1f75814e594ce7709a710 \
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm \
abfe548617969f619aec5b0e807f1f67 \
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm \
92e7515c9125367a79fdb490f5b39cd4 \
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm \
847eecb1d07e4cab3d1de1452103c3a0 mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm \
b6b67fa82d7119cde7ab7816aed17059 mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm \
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFHA4hmqjQ0CJFipgRApknAJ9Ybd8xjfkR+RL1fWEI2Fgn/KIuqACeOH/0
wB09L3fylyiHgrXvSV6VL7A=
=/+dm
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic