'[ MDKSA-2006:172 ] - Updated openssl packages fix vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [ MDKSA-2006:172 ] - Updated openssl packages fix vulnerabilities
From:       security () mandriva ! com
Date:       2006-09-28 21:14:01
Message-ID: E1GT3Cj-0001Vs-OJ () mercury ! mandriva ! com
[Download RAW message or body]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:172
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openssl
 Date    : September 28, 2006
 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Dr S N Henson of the OpenSSL core team and Open Network Security
 recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
 When the test suite was run against OpenSSL two denial of service
 vulnerabilities were discovered.

 During the parsing of certain invalid ASN1 structures an error
 condition is mishandled. This can result in an infinite loop which
 consumes system memory. (CVE-2006-2937)

 Certain types of public key can take disproportionate amounts of time
 to process. This could be used by an attacker in a denial of service
 attack. (CVE-2006-2940)

 Tavis Ormandy and Will Drewry of the Google Security Team discovered a
 buffer overflow in the SSL_get_shared_ciphers utility function, used by
 some applications such as exim and mysql.  An attacker could send a
 list of ciphers that would overrun a buffer. (CVE-2006-3738)

 Tavis Ormandy and Will Drewry of the Google Security Team discovered a
 possible DoS in the sslv2 client code.  Where a client application uses
 OpenSSL to make a SSLv2 connection to a malicious server that server
 could cause the client to crash. (CVE-2006-4343)

 Updated packages are patched to address these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 17e2d82c3f6c0afbf48eccbfbcc17b55  \
2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm  \
8c3f89e1900f069d4a4ad3162a9f7d78  \
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm  \
3a68c653ba0339ba99162459385c72e2  \
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm  \
8291bde3bd9aa95533aabc07280203b8  2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm   \
52b3fbfc1389bcd73e406d6ff741e9dc  2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 b2ce6e6bb7e3114663d3a074d0cc7da5  \
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm  \
f7c8dbc2eda0c90547d43661454d1068  \
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm  \
7c9ebd9f9179f4e93627dcf0f3442335  \
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm  \
17e2d82c3f6c0afbf48eccbfbcc17b55  \
2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm  \
8c3f89e1900f069d4a4ad3162a9f7d78  \
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm  \
3a68c653ba0339ba99162459385c72e2  \
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm  \
6ce5832a59b8b67425cb7026ea9dc876  \
2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm   \
52b3fbfc1389bcd73e406d6ff741e9dc  2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm

 Mandriva Linux 2007.0:
 1bfeff47c8d2f6c020c459881be68207  \
2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm  \
1e1a4db54ddfaedb08a6d847422099ff  \
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm  \
59c80405f33b2e61ffd3cef025635e21  \
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm  \
3a6657970a2e7661bd869d221a69c8da  2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm   \
aad29e57ddceb66105af5d6434de9a62  2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 af679c647d97214244a8423dc1a766b7  \
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm  \
d7b1ed07df4115b3bcc3907e00d25a89  \
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm  \
5bd3ece2c0ec7a3201c29fa84e25a75a  \
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm  \
9b028020dba009eddbf06eeb8607b87f  \
2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm   \
aad29e57ddceb66105af5d6434de9a62  2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm

 Corporate 3.0:
 c99ea58f6f4959a4c36398cc6b2b4ee2  \
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm  \
98a925c5ba2ecc9d704b1e730035755e  \
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm  \
151493a50693e3b9cc67bfafadb9ce42  \
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm  \
82b4709bdbb9128746887013a724356a  \
corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm   \
a5bdbe6afa52005a734dc18aa951677d  \
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 01a922d80d6fc9d1b36dde15ee27747e  \
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm  \
30268f0b70862d1f5998694ac8b4addc  \
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm  \
e0388ff1efa34ea55d033e95b4e9bb63  \
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm  \
c99ea58f6f4959a4c36398cc6b2b4ee2  \
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm  \
83759622f0cc8ea9c0f6d32671283354  \
corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm   \
a5bdbe6afa52005a734dc18aa951677d  \
corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm

 Corporate 4.0:
 6d71d2358738be9967b2dfe19d3642f1  \
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm  \
22890554d3096ce596eeec7393ee3fcf  \
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm  \
679fe740859fa35b2bb77b19c4a0e787  \
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm  \
d8477333b67ec3a36ba46c50e6183993  \
corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm   \
b65dbbd9fb3d74d302478640476a2cd2  \
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 746e5e916d1e05379373138a5db20923  \
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm  \
a2b1d750075a32fe8badbdf1f7febafe  \
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm  \
47c464cf890a004f772c1db3e839fa12  \
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm  \
6d71d2358738be9967b2dfe19d3642f1  \
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm  \
22890554d3096ce596eeec7393ee3fcf  \
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm  \
679fe740859fa35b2bb77b19c4a0e787  \
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm  \
1030a6124a9fa4fd5a41bdff077301bf  \
corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm   \
b65dbbd9fb3d74d302478640476a2cd2  \
corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 19055eda58e1f75814e594ce7709a710  \
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm  \
abfe548617969f619aec5b0e807f1f67  \
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm  \
92e7515c9125367a79fdb490f5b39cd4  \
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm  \
847eecb1d07e4cab3d1de1452103c3a0  mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm   \
b6b67fa82d7119cde7ab7816aed17059  mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm  \
_______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFHA4hmqjQ0CJFipgRApknAJ9Ybd8xjfkR+RL1fWEI2Fgn/KIuqACeOH/0
wB09L3fylyiHgrXvSV6VL7A=
=/+dm
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic