[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] [ MDKSA-2006:172 ] - Updated openssl packages fix
From: security () mandriva ! com
Date: 2006-09-28 21:14:01
Message-ID: E1GT3Ck-0001Vw-1Z () mercury ! mandriva ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:172
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : September 28, 2006
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
When the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered.
During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)
Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack. (CVE-2006-2940)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers utility function, used by
some applications such as exim and mysql. An attacker could send a
list of ciphers that would overrun a buffer. (CVE-2006-3738)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. (CVE-2006-4343)
Updated packages are patched to address these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm
8c3f89e1900f069d4a4ad3162a9f7d78 \
2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm \
3a68c653ba0339ba99162459385c72e2 \
2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm \
8291bde3bd9aa95533aabc07280203b8 2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm \
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
b2ce6e6bb7e3114663d3a074d0cc7da5 \
2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm \
f7c8dbc2eda0c90547d43661454d1068 \
2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm \
7c9ebd9f9179f4e93627dcf0f3442335 \
2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm \
17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm \
8c3f89e1900f069d4a4ad3162a9f7d78 \
2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm \
3a68c653ba0339ba99162459385c72e2 \
2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm \
6ce5832a59b8b67425cb7026ea9dc876 2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm \
52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm
Mandriva Linux 2007.0:
1bfeff47c8d2f6c020c459881be68207 2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm
1e1a4db54ddfaedb08a6d847422099ff \
2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm \
59c80405f33b2e61ffd3cef025635e21 \
2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm \
3a6657970a2e7661bd869d221a69c8da 2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm \
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Mandriva Linux 2007.0/X86_64:
af679c647d97214244a8423dc1a766b7 \
2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm \
d7b1ed07df4115b3bcc3907e00d25a89 \
2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm \
5bd3ece2c0ec7a3201c29fa84e25a75a \
2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm \
9b028020dba009eddbf06eeb8607b87f 2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm \
aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm
Corporate 3.0:
c99ea58f6f4959a4c36398cc6b2b4ee2 \
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm 98a925c5ba2ecc9d704b1e730035755e \
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm \
151493a50693e3b9cc67bfafadb9ce42 \
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm \
82b4709bdbb9128746887013a724356a corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm \
a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 3.0/X86_64:
01a922d80d6fc9d1b36dde15ee27747e \
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm \
30268f0b70862d1f5998694ac8b4addc \
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm \
e0388ff1efa34ea55d033e95b4e9bb63 \
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm \
c99ea58f6f4959a4c36398cc6b2b4ee2 \
corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm \
83759622f0cc8ea9c0f6d32671283354 corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm \
a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm
Corporate 4.0:
6d71d2358738be9967b2dfe19d3642f1 \
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm \
22890554d3096ce596eeec7393ee3fcf \
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
679fe740859fa35b2bb77b19c4a0e787 \
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
d8477333b67ec3a36ba46c50e6183993 corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm \
b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
746e5e916d1e05379373138a5db20923 \
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
a2b1d750075a32fe8badbdf1f7febafe \
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
47c464cf890a004f772c1db3e839fa12 \
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
6d71d2358738be9967b2dfe19d3642f1 \
corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm \
22890554d3096ce596eeec7393ee3fcf \
corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
679fe740859fa35b2bb77b19c4a0e787 \
corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm \
1030a6124a9fa4fd5a41bdff077301bf corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm \
b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
19055eda58e1f75814e594ce7709a710 mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm
abfe548617969f619aec5b0e807f1f67 \
mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm 92e7515c9125367a79fdb490f5b39cd4 \
mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm \
847eecb1d07e4cab3d1de1452103c3a0 mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm \
b6b67fa82d7119cde7ab7816aed17059 mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm \
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFFHA4hmqjQ0CJFipgRApknAJ9Ybd8xjfkR+RL1fWEI2Fgn/KIuqACeOH/0
wB09L3fylyiHgrXvSV6VL7A=
=/+dm
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic