lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1IdaYI-0003ST-OL@artemis.annvix.ca>
Date: Thu, 04 Oct 2007 17:56:22 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDKSA-2007:193 ] - Updated openssl packages fix
	vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:193
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : openssl
 Date    : October 4, 2007
 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A flaw in how OpenSSL performed Montgomery multiplications was
 discovered %that could allow a local attacker to reconstruct
 RSA private keys by examining another user's OpenSSL processes
 (CVE-2007-3108).
 
 Moritz Jodeit found that OpenSSL's SSL_get_shared_ciphers() function
 did not correctly check the size of the buffer it was writing to.
 As a result, a remote attacker could exploit this to write one NULL
 byte past the end of the applications's cipher list buffer, which could
 possibly lead to a denial of service or the execution of arbitrary code
 (CVE-2007-5135).
 
 Updated packages have been patched to prevent these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 5c8d0d9913f050fb578249727ff354ff  2007.0/i586/libopenssl0.9.8-0.9.8b-2.3mdv2007.0.i586.rpm
 53c7176ef6b16948aa6d5bb67def299d  2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.3mdv2007.0.i586.rpm
 1c8ef1064b4c632af64bc0ec1751ac89  2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.3mdv2007.0.i586.rpm
 bb608ba18b44a0dfbe36982e6a271b22  2007.0/i586/openssl-0.9.8b-2.3mdv2007.0.i586.rpm 
 540e96d09fbd35eb2eca24702cc0931d  2007.0/SRPMS/openssl-0.9.8b-2.3mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 3e23bf1e61fc8a19c7872079011788e6  2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.3mdv2007.0.x86_64.rpm
 65671d72b5bb5b915bc01ab2dc846c34  2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.3mdv2007.0.x86_64.rpm
 c16fd9258d72f6ccc3aaefafc75cd99d  2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.3mdv2007.0.x86_64.rpm
 ed45fcbd3374c335d074932dff91030b  2007.0/x86_64/openssl-0.9.8b-2.3mdv2007.0.x86_64.rpm 
 540e96d09fbd35eb2eca24702cc0931d  2007.0/SRPMS/openssl-0.9.8b-2.3mdv2007.0.src.rpm

 Mandriva Linux 2007.1:
 c5aad78d2ba1294bd3039abfcddd8382  2007.1/i586/libopenssl0.9.8-0.9.8e-2.2mdv2007.1.i586.rpm
 31bca08992e98aed69c39ff479a18b29  2007.1/i586/libopenssl0.9.8-devel-0.9.8e-2.2mdv2007.1.i586.rpm
 06c20e0fb027dce47c3833caddf87a2f  2007.1/i586/libopenssl0.9.8-static-devel-0.9.8e-2.2mdv2007.1.i586.rpm
 ee5037b0daafcbf083cf02be27419b3d  2007.1/i586/openssl-0.9.8e-2.2mdv2007.1.i586.rpm 
 a2ca18e0e306f519d6011eed118a02c8  2007.1/SRPMS/openssl-0.9.8e-2.2mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 02d5ae105bc7946b7dc6cfd498c681f4  2007.1/x86_64/lib64openssl0.9.8-0.9.8e-2.2mdv2007.1.x86_64.rpm
 2778805e15d75e2bf4ecde66a5b21455  2007.1/x86_64/lib64openssl0.9.8-devel-0.9.8e-2.2mdv2007.1.x86_64.rpm
 9003241feaccbc47091e46fa05bc8fb1  2007.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-2.2mdv2007.1.x86_64.rpm
 d1fbd88ec3ffa6d4df856538b853ca59  2007.1/x86_64/openssl-0.9.8e-2.2mdv2007.1.x86_64.rpm 
 a2ca18e0e306f519d6011eed118a02c8  2007.1/SRPMS/openssl-0.9.8e-2.2mdv2007.1.src.rpm

 Corporate 3.0:
 2f687b8e796e5c11bfeda56fc250f460  corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.8.C30mdk.i586.rpm
 0a136b0188589daa96a275e2a908975f  corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.8.C30mdk.i586.rpm
 33e77c95c1ed8d2dd987c228db1f0b85  corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.8.C30mdk.i586.rpm
 92206bcee38e0161642214da33346dde  corporate/3.0/i586/openssl-0.9.7c-3.8.C30mdk.i586.rpm 
 50ae55cf0a49e289928c6322cb6d38a1  corporate/3.0/SRPMS/openssl-0.9.7c-3.8.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 e79a1806eccc086a25fe531b4bb960d2  corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.8.C30mdk.x86_64.rpm
 824675fbf7aa8d32d49f629ebcb15e81  corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.8.C30mdk.x86_64.rpm
 8ccdb4d500319cd78e24225f8d746ee5  corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.8.C30mdk.x86_64.rpm
 44581db7a0c584364106030cc1f1ba60  corporate/3.0/x86_64/openssl-0.9.7c-3.8.C30mdk.x86_64.rpm 
 50ae55cf0a49e289928c6322cb6d38a1  corporate/3.0/SRPMS/openssl-0.9.7c-3.8.C30mdk.src.rpm

 Corporate 4.0:
 426c94750032db44cef75628fce870f3  corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.6.20060mlcs4.i586.rpm
 58322f979d059ba5d159673295388811  corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.6.20060mlcs4.i586.rpm
 9be093a49f1f39155ee6027142ae5910  corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.6.20060mlcs4.i586.rpm
 0d8cf221955d4fe023c531864e1834c1  corporate/4.0/i586/openssl-0.9.7g-2.6.20060mlcs4.i586.rpm 
 147ea629d4b5af8eac458f391284cbca  corporate/4.0/SRPMS/openssl-0.9.7g-2.6.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 4d1bd83a0f0176c39fcc26fbe83e4164  corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.6.20060mlcs4.x86_64.rpm
 dc12b5da6598a34f18a43e04bb0956ac  corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.6.20060mlcs4.x86_64.rpm
 b8c7936de5ceb1a868f45e2128e828f9  corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.6.20060mlcs4.x86_64.rpm
 39b8c2cfae2941c825d61054f4a04bea  corporate/4.0/x86_64/openssl-0.9.7g-2.6.20060mlcs4.x86_64.rpm 
 147ea629d4b5af8eac458f391284cbca  corporate/4.0/SRPMS/openssl-0.9.7g-2.6.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 57c9c59fa9d048e9b707d938a0daa3b1  mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.8.M20mdk.i586.rpm
 8681281473c7b2472597456ad77938a9  mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.8.M20mdk.i586.rpm
 5d2a191ab92ec741d2546fb79d49e330  mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.8.M20mdk.i586.rpm
 0d00b0e6cbff0b4dbd4e9c9b3659b6f8  mnf/2.0/i586/openssl-0.9.7c-3.8.M20mdk.i586.rpm 
 448e7559127aef13218ef2272b671e0d  mnf/2.0/SRPMS/openssl-0.9.7c-3.8.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHBVHkmqjQ0CJFipgRAuRYAKCget3UmVQq5wb7iEsW/YEUYwPYxgCeLSP4
MWA3mejShsFjsO8DOL3ePuY=
=Yr6e
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ