Mandrake security alert: Updated openssl packages fix multiple vulnerabilities

Posted by dave on Mar 17, 2004 8:58 AM EDT
Mailing list
Mail this story
Print this story

A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandrakelinux Security Update Advisory _______________________________________________________________________

Package name: openssl Advisory ID: MDKSA-2004:023 Date: March 17th, 2004

Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ______________________________________________________________________

Problem Description:

A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a null-pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CAN-2004-0079 to this issue. Another vulnerability was discovered by Stephen Henson in OpenSSL versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. CVE has assigned CAN-2004-0112 to this issue. Mandrakesoft urges users to upgrade to the packages provided that have been patched to protect against these problems. We would also like to thank NISCC for their assistance in coordinating the disclosure of these problems. Please note that you will need to restart any SSL-enabled services for the patch to be effective, including (but not limited to) Apache, OpenLDAP, etc. _______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 ______________________________________________________________________

Updated Packages: Corporate Server 2.1: aa5e93c4668cd1f4ef8091c260e6c274 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.i586.rpm d1923437255ae0b50c5e1e8d40e3c0ee corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.i586.rpm 5e3ffcaa0291845b69c555f0961e610a corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.i586.rpm ceefc8ac27966d4f7311f2fcff37b6c8 corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.i586.rpm 9c85e7f857a7ebcf707ac6e65d32ceb1 corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

Corporate Server 2.1/x86_64: d1f2609c2fd600a73504a92c6b96ad0b x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.x86_64.rpm dec9c21de8362901562041c8a960a249 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.x86_64.rpm 951e43064657332318113f20c77cadf1 x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.x86_64.rpm 47a86a2f8219baa9504f01e1cf6de640 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.x86_64.rpm 9c85e7f857a7ebcf707ac6e65d32ceb1 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

Mandrakelinux 9.0: f240a851cd1e2350485c01937c03954a 9.0/RPMS/libopenssl0-0.9.6i-1.7.90mdk.i586.rpm 44163de2b87935272550f1ee76df3bea 9.0/RPMS/libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm 8692dc3bc8235e0ee0279c197fd7f2ee 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm fb67c8105ee757e0be521758cef6c3ad 9.0/RPMS/openssl-0.9.6i-1.7.90mdk.i586.rpm 2c5edca752c1bded660e811e4a14924c 9.0/SRPMS/openssl-0.9.6i-1.7.90mdk.src.rpm

Mandrakelinux 9.1: 675ca1ba5d7fbf2246a47ddb2c3b9b51 9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.i586.rpm 4f916449cf69b4246b6d31313082b836 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm e96d97d6abc80a2b876fa412a94513ee 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm 6f51829b630e60f1296571f06fdf31ad 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm cf731928a2a17b67ecc3a1592300842d 9.1/RPMS/openssl-0.9.7a-1.3.91mdk.i586.rpm 7034cb0be4e172d30fe2d68a6bec27b3 9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm fafa5780fe61503df1a92215e6dfdb24 9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

Mandrakelinux 9.1/PPC: 6a083899b5c52877e9bed2e21b030918 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.ppc.rpm 0e3eee09e1f2ceb59422f4ff0ce4a073 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.ppc.rpm 71a44d67de3c656025f9d9df93e690df ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.ppc.rpm bfba9442501c5c618f1f3953728de8fe ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.ppc.rpm fd0cae85733542b6e5edc422c6e85272 ppc/9.1/RPMS/openssl-0.9.7a-1.3.91mdk.ppc.rpm 7034cb0be4e172d30fe2d68a6bec27b3 ppc/9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm fafa5780fe61503df1a92215e6dfdb24 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

Mandrakelinux 9.2: ca7d2493b21406d07d8c4c95e8768c47 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm b0f4e7317a0ffa549394590bb3814216 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm cf3c227a00a1f738915768a860fabf24 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm 34b175885ae59b3a089b11a02039d88a 9.2/RPMS/openssl-0.9.7b-4.2.92mdk.i586.rpm 006292d74c144ace0a288ab444493788 9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64: 34246401bd6d2b211ea366d0673b2ce6 amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-4.2.92mdk.amd64.rpm 87b4e7fbeaf3640f94d67e1bd6bfc593 amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk.amd64.rpm a3c9c929398a68ce06cce5fd537f4387 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk.amd64.rpm 85155f93b8c769759b901b44f71974dd amd64/9.2/RPMS/openssl-0.9.7b-4.2.92mdk.amd64.rpm 006292d74c144ace0a288ab444493788 amd64/9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

Multi Network Firewall 8.2: 99eb1a2e1e97c207d39f5882c4acafe5 mnf8.2/RPMS/libopenssl0-0.9.6i-1.6.M82mdk.i586.rpm e9564e5b55b8fdf4b8e8af1b1c0c56a2 mnf8.2/RPMS/openssl-0.9.6i-1.6.M82mdk.i586.rpm 1ae8ea6a7254b5abe1cbc0a6bca66997 mnf8.2/SRPMS/openssl-0.9.6i-1.6.M82mdk.src.rpm _______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAWIYPmqjQ0CJFipgRAshnAKC8/HKUJDKL1mhLx5DJepT50T0IOgCbBYwN dn42d2BQxORniYtj+9q99NY= =6dKA -----END PGP SIGNATURE-----

[PARSEASHTML]

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.