lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1O3BCW-0005dM-M7@titan.mandriva.com>
Date: Sat, 17 Apr 2010 18:49:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:076 ] openssl


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:076
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : April 15, 2010
 Affected: 2008.0, 2009.1, 2010.0, Corporate 4.0, Enterprise Server 5.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 This update fixes several security issues in openssl:
 - The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f
 through 0.9.8m allows remote attackers to cause a denial of service
 (crash) via a malformed record in a TLS connection (CVE-2010-0740)
 - OpenSSL before 0.9.8m does not check for a NULL return value
 from bn_wexpand function calls which has unspecified impact and
 context-dependent attack vectors (CVE-2009-3245)
 - The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL
 before 0.9.8n, when Kerberos is enabled but Kerberos configuration
 files cannot be opened, could allow remote attackers to cause a denial
 of service (NULL pointer dereference and daemon crash) (CVE-2010-0433)
 - Finally, this update provides support for secure renegotiation,
 preventing men-in-the-middle attacks (CVE-2009-3555).
 
 Packages for 2008.0 and 2009.0 are provided due to the Extended
 Maintenance Program for those products.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 6779a4a1db26d264e8245d5a2e03b8e2  2008.0/i586/libopenssl0.9.8-0.9.8e-8.6mdv2008.0.i586.rpm
 32d0879c08e77ec6ee2bf3401e342ab5  2008.0/i586/libopenssl0.9.8-devel-0.9.8e-8.6mdv2008.0.i586.rpm
 f96338b09159511eb17480a3a398cdf4  2008.0/i586/libopenssl0.9.8-static-devel-0.9.8e-8.6mdv2008.0.i586.rpm
 3b314cadba52af9c6ef20807fa6a7e40  2008.0/i586/openssl-0.9.8e-8.6mdv2008.0.i586.rpm 
 5781d06f2bc45312c89d5578b3d4426e  2008.0/SRPMS/openssl-0.9.8e-8.6mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 18a2f6b7bc42e89172e199e2c9d9cbd7  2008.0/x86_64/lib64openssl0.9.8-0.9.8e-8.6mdv2008.0.x86_64.rpm
 adbcfd94636bf43eca84d56b000f1bf9  2008.0/x86_64/lib64openssl0.9.8-devel-0.9.8e-8.6mdv2008.0.x86_64.rpm
 78a4ae2c93221b31e75ff44f01cc963e  2008.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-8.6mdv2008.0.x86_64.rpm
 cf642101a500d21a1b0d560c94f6c33b  2008.0/x86_64/openssl-0.9.8e-8.6mdv2008.0.x86_64.rpm 
 5781d06f2bc45312c89d5578b3d4426e  2008.0/SRPMS/openssl-0.9.8e-8.6mdv2008.0.src.rpm

 Mandriva Linux 2009.1:
 2179a8dcd20d37f14ee8830af0b19f18  2009.1/i586/libopenssl0.9.8-0.9.8k-1.5mdv2009.1.i586.rpm
 2fa14647d3a714b59fcc96893b872d89  2009.1/i586/libopenssl0.9.8-devel-0.9.8k-1.5mdv2009.1.i586.rpm
 3456989c6989346efcf82a2ac744b860  2009.1/i586/libopenssl0.9.8-static-devel-0.9.8k-1.5mdv2009.1.i586.rpm
 ea0d9271dff872444a5104edb5a35782  2009.1/i586/openssl-0.9.8k-1.5mdv2009.1.i586.rpm 
 9606d6dd9ef55a4e36585031819ff68a  2009.1/SRPMS/openssl-0.9.8k-1.5mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 48b2c896f7f5a78da411c3f952641a7c  2009.1/x86_64/lib64openssl0.9.8-0.9.8k-1.5mdv2009.1.x86_64.rpm
 f2243e30cf19af90a5d318a9b58f7166  2009.1/x86_64/lib64openssl0.9.8-devel-0.9.8k-1.5mdv2009.1.x86_64.rpm
 eb21df80599178f9e0801f56ea53c596  2009.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-1.5mdv2009.1.x86_64.rpm
 7623f6957ce025df671f26da48b43a8c  2009.1/x86_64/openssl-0.9.8k-1.5mdv2009.1.x86_64.rpm 
 9606d6dd9ef55a4e36585031819ff68a  2009.1/SRPMS/openssl-0.9.8k-1.5mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 bf40dda29eab76aed02a1d7cb0c6b7b0  2010.0/i586/libopenssl0.9.8-0.9.8k-5.2mdv2010.0.i586.rpm
 88f7e61fb1a73b6785eb7dd619b4ba26  2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.2mdv2010.0.i586.rpm
 43c3513218c3a1f9b92e6de050905511  2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.2mdv2010.0.i586.rpm
 a8301e1c6f5f770673e3b5aa78def152  2010.0/i586/openssl-0.9.8k-5.2mdv2010.0.i586.rpm 
 d34a969c322305ba7c2bf42c464e655b  2010.0/SRPMS/openssl-0.9.8k-5.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 bd1bad7a46c995dd70390db3d3f54d9b  2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.2mdv2010.0.x86_64.rpm
 c402e4d826ff811ed12e51348433043d  2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.2mdv2010.0.x86_64.rpm
 11bc52f64e3149750039441e0953c1ac  2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.2mdv2010.0.x86_64.rpm
 a312e7b5c36582656783e287e4fbf8b2  2010.0/x86_64/openssl-0.9.8k-5.2mdv2010.0.x86_64.rpm 
 d34a969c322305ba7c2bf42c464e655b  2010.0/SRPMS/openssl-0.9.8k-5.2mdv2010.0.src.rpm

 Corporate 4.0:
 838799e95a4b8ddbad162e3d85826cb3  corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.12.20060mlcs4.i586.rpm
 fa537398af95ed3d4d2bf0458d6968e7  corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.12.20060mlcs4.i586.rpm
 44095aa5ee43e81861066b7be51f26e0  corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.12.20060mlcs4.i586.rpm
 311d0ffc5d5c066e78444899796d9a04  corporate/4.0/i586/openssl-0.9.7g-2.12.20060mlcs4.i586.rpm 
 ffcbb14a29c554d271b34a07ba8c6760  corporate/4.0/SRPMS/openssl-0.9.7g-2.12.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 36a4b10bb78a32c87eacb51bb898ce74  corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.12.20060mlcs4.x86_64.rpm
 97bc349e00703ec30ed4bc92ed1c8ad3  corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.12.20060mlcs4.x86_64.rpm
 c5ad86569b033f43117c190d4843cb62  corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.12.20060mlcs4.x86_64.rpm
 7323557da4375c9e28f0fc6ffe3c9681  corporate/4.0/x86_64/openssl-0.9.7g-2.12.20060mlcs4.x86_64.rpm 
 ffcbb14a29c554d271b34a07ba8c6760  corporate/4.0/SRPMS/openssl-0.9.7g-2.12.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 5397afaa4dd55a61a69c7a613b4a04d0  mes5/i586/libopenssl0.9.8-0.9.8h-3.7mdvmes5.1.i586.rpm
 672b31b0932445ab920d98674b39568e  mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.7mdvmes5.1.i586.rpm
 bd4315ba38456187e89a3608f9a81449  mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.7mdvmes5.1.i586.rpm
 97c3e766752633e2dc3fb4e8808d94a2  mes5/i586/openssl-0.9.8h-3.7mdvmes5.1.i586.rpm 
 3fa202efa10e5a1758296c38d550e3c9  mes5/SRPMS/openssl-0.9.8h-3.7mdv2009.0.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 eff1bf6b250becc30db24dd090677cdc  mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.7mdvmes5.1.x86_64.rpm
 a516bcfc84c4d725f9123aba88f2f433  mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.7mdvmes5.1.x86_64.rpm
 82bc5fb4ce477538a44d934ad20d0a76  mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.7mdvmes5.1.x86_64.rpm
 1423afe3a03dc74af39c81a5ea8382ba  mes5/x86_64/openssl-0.9.8h-3.7mdvmes5.1.x86_64.rpm 
 3fa202efa10e5a1758296c38d550e3c9  mes5/SRPMS/openssl-0.9.8h-3.7mdv2009.0.src.rpm

 Multi Network Firewall 2.0:
 dc0699f12403b68e03714fbf196c1a61  mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.13.C30mdk.i586.rpm
 300487b72c03dc789393b1d031b0f79f  mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.13.C30mdk.i586.rpm
 a7153e4b9c5b0b3710307ec9366bc7c6  mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.13.C30mdk.i586.rpm
 51f0b04c0a6ceb1008c017ff5c9e708e  mnf/2.0/i586/openssl-0.9.7c-3.13.C30mdk.i586.rpm 
 4fbf3a9a35931cc30fdda10ce7d1d911  mnf/2.0/SRPMS/openssl-0.9.7c-3.13.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLybd5mqjQ0CJFipgRAoogAKDhb8KNEsbPJbLGW/HkRJtwmigdlACeLosx
AivcTVPvxGwS+9NxLS8bfeA=
=M7MB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ