lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20061002193319.GA3496@galadriel.inutil.org>
Date: Mon, 2 Oct 2006 21:33:19 +0200
From: Noah Meyerhans <noahm@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 1185-2] New openssl packages fix
	arbitrary code execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1185-2                    security@...ian.org
http://www.debian.org/security/                             Noah Meyerhans
October 2nd, 2006                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openssl
Vulnerability  : denial of service
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2940

The fix used to correct CVE-2006-2940 introduced code that could lead to
the use of uninitialized memory.  Such use is likely to cause the
application using the openssl library to crash, and has the potential to
allow an attacker to cause the execution of arbitrary code.

For the stable distribution (sarge) these problems have been fixed in
version 0.9.7e-3sarge4.

For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-3 of the
openssl097 compatibility libraries, and version 0.9.8c-3 of the
openssl package.

We recommend that you upgrade your openssl package.  Note that
services linking against the openssl shared libraries will need to be
restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc
      Size/MD5 checksum:      639 179f34093d860afff66964b5f1c99ee3
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz
      Size/MD5 checksum:    29707 0b4d462730327aba5a751bd4bec71c10
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5 checksum:  3043231 a8777164bca38d84e5eb2b1535223474

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb
      Size/MD5 checksum:  3341886 f0d0ef51fac89227b0d0705116439f5c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb
      Size/MD5 checksum:  2448092 8065c52c7649f36221f8a48adfb4cb29
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb
      Size/MD5 checksum:   930234 5953c4c4a45352d41c3c414eda63ff00

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb
      Size/MD5 checksum:  2693980 cbd25bbed17ec73561337bfc3d8ed2ed
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb
      Size/MD5 checksum:   769904 2671cdf2f48013617ea509daac2bb4dc
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb
      Size/MD5 checksum:   903782 e370684d7c84d1eebcb69cdda35c6c6c

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb
      Size/MD5 checksum:  2556330 75c1a253ddad0b7ad87053552770e5c4
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb
      Size/MD5 checksum:   690202 ccd435ca2c183940152f3bd70d84ee0b
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb
      Size/MD5 checksum:   894144 2e5caaa90184d9ee9e607d18728e6f93

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb
      Size/MD5 checksum:  2695990 58fe1a247ef47faa559eef610b437db6
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb
      Size/MD5 checksum:   791382 f0c64d06307af937218944d6d8db6e2f
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb
      Size/MD5 checksum:   914576 631c681a3c4ce355962a7c684767a155

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb
      Size/MD5 checksum:  2554956 c4c9aa14e74dbd6dac2cadd7cf48b522
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb
      Size/MD5 checksum:  2265180 9047b6c6036c048ad75fa397f220ae39
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb
      Size/MD5 checksum:   906268 070d1d1680f90da5509121c44de7a254

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb
      Size/MD5 checksum:  3396206 3a3d88238a48d33b39e7575a97c6cfdf
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb
      Size/MD5 checksum:  1038432 e2e4e1d388c5d45c8d30e16d661ad24c
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb
      Size/MD5 checksum:   975152 1783b49f3b7a12bd18dff0fcc37f5d68

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb
      Size/MD5 checksum:  2317348 b4930b1cf5e642bf509d44dd83de193f
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb
      Size/MD5 checksum:   661716 d5fb4eb5947c8765e268696e94a46a8b
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb
      Size/MD5 checksum:   889932 e1ecef3780edd38743246dfda1424e8c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb
      Size/MD5 checksum:  2779464 591dbe4f6d73d56c9e9ff72f2d0a5385
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb
      Size/MD5 checksum:   706682 0b3de7eef13969d065ed057fda34afc2
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb
      Size/MD5 checksum:   896834 e2b8f38056a06f63c3ce6c10d9d95dba

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb
      Size/MD5 checksum:  2767364 883d0167f6642e90e8a183b4f87a78ba
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb
      Size/MD5 checksum:   694532 f4961231ef2c2b8ff46f173338a7fa36
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb
      Size/MD5 checksum:   895922 2ad35f3927ba71d8054fe8cd4316f5b0

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb
      Size/MD5 checksum:  2775608 0dca0ec9cf2d230ce68394849be748b1
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb
      Size/MD5 checksum:   779456 6736cdc1dfe5f19013f4dee0a2b3b1cf
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb
      Size/MD5 checksum:   908418 8759696eff63836597e4247c06ba7b22

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb
      Size/MD5 checksum:  2717788 12fb63ace68a2698c19c725530ab18d9
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb
      Size/MD5 checksum:   814012 adcee88124369de1daeae0545e0517a0
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb
      Size/MD5 checksum:   918524 b93704f4ce84489d4ee163098a783962

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb
      Size/MD5 checksum:  2630606 a20a47b2f291810a09fd04a4c130ddb0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb
      Size/MD5 checksum:  1886152 8521da994bf2a6df3bdc457fb3e0683b
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb
      Size/MD5 checksum:   924556 ff8cee5f5a9653a9dd917b4ec51166ee


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFIWjaXm3vHE4uyloRAlCnAKDJS/TqmvEdkWKPzE3d5MmsC+VAXgCg3Kw+
43qPyLtg10UxpWWh0fHpOnA=
=Xbwi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ