lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1R8yCm-0001jA-Cl@titan.mandriva.com>
Date: Wed, 28 Sep 2011 19:46:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:137 ] openssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:137
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : September 28, 2011
 Affected: 2010.1, 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in openssl:
 
 The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
 earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
 is used for the ECDHE_ECDSA cipher suite, does not properly implement
 curves over binary fields, which makes it easier for context-dependent
 attackers to determine private keys via a timing attack and a lattice
 calculation (CVE-2011-1945).
 
 crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not
 initialize certain structure members, which makes it easier for
 remote attackers to bypass CRL validation by using a nextUpdate value
 corresponding to a time in the past (CVE-2011-3207).
 
 The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during
 processing of handshake messages, which allows remote attackers
 to cause a denial of service (application crash) via out-of-order
 messages that violate the TLS protocol (CVE-2011-3210).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 bd60d1b484309734bc8071f8d56c78d4  2010.1/i586/libopenssl1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 db2a2d676ab59df2a7077f0888cbc7f5  2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 bbf3789a5da46dc0dde527352f15bb2d  2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 9a757b9d019b952696fbbf1bdb80571e  2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 2527313d11471e17bac3309941f7aaf8  2010.1/i586/openssl-1.0.0a-1.8mdv2010.2.i586.rpm 
 e9dbe57d404042917b3ed2bf233f2e41  2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 6c11f02b7a582a4ff2129f3f4183ffdd  2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 16eb55a62466f8c8bb7b642011dea54a  2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 080662986ef9f21128c2c4bca3d9e0aa  2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 b58cfdb41d740a2176ea2f9d2a33cae5  2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 6a8f48aea469d9183725bd22acfab8cc  2010.1/x86_64/openssl-1.0.0a-1.8mdv2010.2.x86_64.rpm 
 e9dbe57d404042917b3ed2bf233f2e41  2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

 Mandriva Linux 2011:
 5fd58662d6a52ac88efe81f989fc9ede  2011/i586/libopenssl1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 aa9043268df01b6785c988947731908b  2011/i586/libopenssl-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 3b749c8a41b714e84bd7732cd6ee5089  2011/i586/libopenssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 77d9dbad979416dd1b4af54b463c9858  2011/i586/libopenssl-static-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 fb567a8bafc6b42337c85a0f33ff33cb  2011/i586/openssl-1.0.0d-2.1-mdv2011.0.i586.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm

 Mandriva Linux 2011/X86_64:
 93891e6f060d2079ea9a4a949fe40a25  2011/x86_64/lib64openssl1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 02a059bdb85b00ebcf029ed62142b5f6  2011/x86_64/lib64openssl-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 136b35ff7bff01b4791b7b366cff6c88  2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 1aaf1d105b86c1be2a367d4189c12c3b  2011/x86_64/lib64openssl-static-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 766878bba443c3d2163451d383591e79  2011/x86_64/openssl-1.0.0d-2.1-mdv2011.0.x86_64.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOgzHYmqjQ0CJFipgRAsTZAKDW2iAKcrQ2Wn3WUQOZKyrtR0wF/gCdE7Wq
p8MJC4PHvZEv/WH8jrDBGB0=
=oOhw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ