Mandrake security alert: Updated openssl packages fix multiple vulnerabilities

Posted by dave on Mar 17, 2004 8:58 AM EDT
Mailing list		Mail this story
Print this story

A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           openssl
 Advisory ID:            MDKSA-2004:023
 Date:                   March 17th, 2004

 Affected versions:	 9.0, 9.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A vulnerability was discovered by the OpenSSL group using the
 Codenomicon TLS Test Tool.  The test uncovered a null-pointer
 assignment in the do_change_cipher_spec() function whih could be
 abused by a remote attacker crafting a special SSL/TLS handshake
 against a server that used the OpenSSL library in such a way as to
 cause OpenSSL to crash.  Depending on the application in question,
 this could lead to a Denial of Service (DoS).  This vulnerability
 affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c).
 CVE has assigned CAN-2004-0079 to this issue.
 
 Another vulnerability was discovered by Stephen Henson in OpenSSL
 versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking
 code when using Kerberos ciphersuites.  A remote attacker could
 perform a carefully crafted SSL/TLS handshake against a server
 configured to use Kerberos ciphersuites in such a way as to cause
 OpenSSL to crash.  CVE has assigned CAN-2004-0112 to this issue.
 
 Mandrakesoft urges users to upgrade to the packages provided that have
 been patched to protect against these problems.  We would also like to
 thank NISCC for their assistance in coordinating the disclosure of
 these problems.
 
 Please note that you will need to restart any SSL-enabled services for
 the patch to be effective, including (but not limited to) Apache, 
 OpenLDAP, etc.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
 ______________________________________________________________________

 Updated Packages:
  
 Corporate Server 2.1:
 aa5e93c4668cd1f4ef8091c260e6c274  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.i586.rpm
 d1923437255ae0b50c5e1e8d40e3c0ee  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.i586.rpm
 5e3ffcaa0291845b69c555f0961e610a  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.i586.rpm
 ceefc8ac27966d4f7311f2fcff37b6c8  corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.i586.rpm
 9c85e7f857a7ebcf707ac6e65d32ceb1  corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 d1f2609c2fd600a73504a92c6b96ad0b  x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.x86_64.rpm
 dec9c21de8362901562041c8a960a249  x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
 951e43064657332318113f20c77cadf1  x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
 47a86a2f8219baa9504f01e1cf6de640  x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.x86_64.rpm
 9c85e7f857a7ebcf707ac6e65d32ceb1  x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

 Mandrakelinux 9.0:
 f240a851cd1e2350485c01937c03954a  9.0/RPMS/libopenssl0-0.9.6i-1.7.90mdk.i586.rpm
 44163de2b87935272550f1ee76df3bea  9.0/RPMS/libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm
 8692dc3bc8235e0ee0279c197fd7f2ee  9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm
 fb67c8105ee757e0be521758cef6c3ad  9.0/RPMS/openssl-0.9.6i-1.7.90mdk.i586.rpm
 2c5edca752c1bded660e811e4a14924c  9.0/SRPMS/openssl-0.9.6i-1.7.90mdk.src.rpm

 Mandrakelinux 9.1:
 675ca1ba5d7fbf2246a47ddb2c3b9b51  9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.i586.rpm
 4f916449cf69b4246b6d31313082b836  9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm
 e96d97d6abc80a2b876fa412a94513ee  9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm
 6f51829b630e60f1296571f06fdf31ad  9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm
 cf731928a2a17b67ecc3a1592300842d  9.1/RPMS/openssl-0.9.7a-1.3.91mdk.i586.rpm
 7034cb0be4e172d30fe2d68a6bec27b3  9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
 fafa5780fe61503df1a92215e6dfdb24  9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 6a083899b5c52877e9bed2e21b030918  ppc/9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.ppc.rpm
 0e3eee09e1f2ceb59422f4ff0ce4a073  ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.ppc.rpm
 71a44d67de3c656025f9d9df93e690df  ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.ppc.rpm
 bfba9442501c5c618f1f3953728de8fe  ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.ppc.rpm
 fd0cae85733542b6e5edc422c6e85272  ppc/9.1/RPMS/openssl-0.9.7a-1.3.91mdk.ppc.rpm
 7034cb0be4e172d30fe2d68a6bec27b3  ppc/9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
 fafa5780fe61503df1a92215e6dfdb24  ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

 Mandrakelinux 9.2:
 ca7d2493b21406d07d8c4c95e8768c47  9.2/RPMS/libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm
 b0f4e7317a0ffa549394590bb3814216  9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm
 cf3c227a00a1f738915768a860fabf24  9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm
 34b175885ae59b3a089b11a02039d88a  9.2/RPMS/openssl-0.9.7b-4.2.92mdk.i586.rpm
 006292d74c144ace0a288ab444493788  9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 34246401bd6d2b211ea366d0673b2ce6  amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-4.2.92mdk.amd64.rpm
 87b4e7fbeaf3640f94d67e1bd6bfc593  amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk.amd64.rpm
 a3c9c929398a68ce06cce5fd537f4387  amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk.amd64.rpm
 85155f93b8c769759b901b44f71974dd  amd64/9.2/RPMS/openssl-0.9.7b-4.2.92mdk.amd64.rpm
 006292d74c144ace0a288ab444493788  amd64/9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

 Multi Network Firewall 8.2:
 99eb1a2e1e97c207d39f5882c4acafe5  mnf8.2/RPMS/libopenssl0-0.9.6i-1.6.M82mdk.i586.rpm
 e9564e5b55b8fdf4b8e8af1b1c0c56a2  mnf8.2/RPMS/openssl-0.9.6i-1.6.M82mdk.i586.rpm
 1ae8ea6a7254b5abe1cbc0a6bca66997  mnf8.2/SRPMS/openssl-0.9.6i-1.6.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAWIYPmqjQ0CJFipgRAshnAKC8/HKUJDKL1mhLx5DJepT50T0IOgCbBYwN
dn42d2BQxORniYtj+9q99NY=
=6dKA
-----END PGP SIGNATURE-----

[PARSEASHTML]

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.