[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MpnRd-0004ku-Mp@titan.mandriva.com>
Date: Mon, 21 Sep 2009 20:17:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:237 ] openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:237
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : September 21, 2009
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities was discovered and corrected in openssl:
ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to
cause a denial of service (NULL pointer dereference and daemon crash)
via a DTLS ChangeCipherSpec packet that occurs before ClientHello
(CVE-2009-1386).
The NSS library library before 3.12.3, as used in Firefox; GnuTLS
before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other
products support MD2 with X.509 certificates, which might allow
remote attackers to spooof certificates by using MD2 design flaws
to generate a hash collision in less than brute-force time. NOTE:
the scope of this issue is currently limited because the amount of
computation required is still large (CVE-2009-2409).
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
52c4eef7e013ff51da821c9739f8455c corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
ee8c84605e6073baa7ba8f7a2583688f corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
c4644081608a0322998acaff8aeb7855 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
613010dc703d61de93bfad8ccc91cc67 corporate/3.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm
141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm
Corporate 3.0/X86_64:
37a8fb11191834bd7e45ec4ccb3cdeb8 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.11.C30mdk.x86_64.rpm
9fd74f7123edae69f4bb674d35b96ef8 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
247b548bbbc772c69a3c1cc54e350d90 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
779e9ac5fffaf96141be8ea77f963e83 corporate/3.0/x86_64/openssl-0.9.7c-3.11.C30mdk.x86_64.rpm
141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm
Corporate 4.0:
92833c7613875f935a0ac42c1ee22328 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.10.20060mlcs4.i586.rpm
6ca9508b8769fe3e0f7e25a9aa73d82d corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
ec80b2ccb7231f71fcf81cc200985d88 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
efa7973f515618a3bc77f1ee8969a982 corporate/4.0/i586/openssl-0.9.7g-2.10.20060mlcs4.i586.rpm
4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
271634c0d8e82fe4a3302c04dc7d6e87 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.10.20060mlcs4.x86_64.rpm
72f2b3717cd75ab119323252e3b89e5b corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
2fb0977d4a4fce2466c05cabf64f56a6 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
1a10542aec4bc4bfa97064c081d89f06 corporate/4.0/x86_64/openssl-0.9.7g-2.10.20060mlcs4.x86_64.rpm
4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
52c4eef7e013ff51da821c9739f8455c mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
ee8c84605e6073baa7ba8f7a2583688f mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
c4644081608a0322998acaff8aeb7855 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
613010dc703d61de93bfad8ccc91cc67 mnf/2.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm
141b07323226c91355ccb28f0ad93f97 mnf/2.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKt5fFmqjQ0CJFipgRAvMNAJ4zquZZu032FYwhkb5YZgClNRot8ACfdtBs
7+ICSmUVqTQP8OAgWNIh3ow=
=2QEL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists