lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1SCCya-00021u-UK@titan.mandriva.com>
Date: Mon, 26 Mar 2012 18:41:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2012:038 ] openssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:038
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : March 26, 2012
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in openssl:
 
 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
 OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
 certain oracle behavior, which makes it easier for context-dependent
 attackers to decrypt data via a Million Message Attack (MMA) adaptive
 chosen ciphertext attack (CVE-2012-0884).
 
 The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
 of service (NULL pointer dereference and application crash) via a
 crafted S/MIME message, a different vulnerability than CVE-2006-7250
 (CVE-2012-1165).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 820b204b86b1f140bf8526725ee29650  2010.1/i586/libopenssl0.9.8-0.9.8u-0.1mdv2010.2.i586.rpm
 f19cb6b757e2502ba930c139ce6cd3c4  2010.1/i586/libopenssl1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
 a57c57a8ebfb75f2da2ce416218655a9  2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.11mdv2010.2.i586.rpm
 d5807ee096478bcca0d08f2145535f78  2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.i586.rpm
 cacdcfe367accab7ee4ce75eefd1d28d  2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
 8a3b57e03df92a2d421672a6495f34a0  2010.1/i586/openssl-1.0.0a-1.11mdv2010.2.i586.rpm 
 6be06368a541e654742693c6eb705fb1  2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
 2619947049700ab84d6cad214a0131f3  2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 dfb5f411e236cc9b4b3f2e005d5f0e2e  2010.1/x86_64/lib64openssl0.9.8-0.9.8u-0.1mdv2010.2.x86_64.rpm
 7ee654320d85d3f3aa0bbd94bc42453b  2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
 1d00d58ab6be34fd3542340300038950  2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
 6c7ca81d116a60d500ffddc2f3c7fb57  2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
 bcdac0e2468a6e06f4078f05fdafd392  2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
 836de45400c21f24fa5b21b7c706eb98  2010.1/x86_64/openssl-1.0.0a-1.11mdv2010.2.x86_64.rpm 
 6be06368a541e654742693c6eb705fb1  2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
 2619947049700ab84d6cad214a0131f3  2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

 Mandriva Linux 2011:
 1960675e9fe0ae8da138ecba0bf9e6b4  2011/i586/libopenssl1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
 de70876cfc6918c35b89cae61ccb2788  2011/i586/libopenssl-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
 68696a78df495d3245034e776ececf24  2011/i586/libopenssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
 fba71506079447ff67b7e52c15004221  2011/i586/libopenssl-static-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
 f8992d4ee7b2c0d979a314593c590e8b  2011/i586/openssl-1.0.0d-2.4-mdv2011.0.i586.rpm 
 34324e854461c4102c4db333d3f575ba  2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

 Mandriva Linux 2011/X86_64:
 89645faf8d71d72afa62c2be5d21a55b  2011/x86_64/lib64openssl1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 2f3e7dc11f36f7f10bc26669ea0d359a  2011/x86_64/lib64openssl-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 aecefb41191efa106dc11cfdff6e5dbc  2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 ec65b7b472890dd336239605846a3a56  2011/x86_64/lib64openssl-static-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 db15536fedf4e8e8e00f1877f2939f6d  2011/x86_64/openssl-1.0.0d-2.4-mdv2011.0.x86_64.rpm 
 34324e854461c4102c4db333d3f575ba  2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

 Mandriva Enterprise Server 5:
 4bd8479bc2fad30096d37d498240c507  mes5/i586/libopenssl0.9.8-0.9.8h-3.14mdvmes5.2.i586.rpm
 33cf65c119e4d84738619a84e598aba2  mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
 ca767a0cbeb99230946ebb35191b9df2  mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
 9f3bba03e5aff24ecd26bae11c99af91  mes5/i586/openssl-0.9.8h-3.14mdvmes5.2.i586.rpm 
 65c9f262dd6b4d66069649ea1e596b4b  mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 e0b68754036f1114ed20cf8199d7625d  mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 ba2d5446973c7aecbe93ac7455cb7a7b  mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 a16b1e15a2164eadf4d052f7f29080fd  mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 71e785c5e2bda4cfc189ae8adff9cd54  mes5/x86_64/openssl-0.9.8h-3.14mdvmes5.2.x86_64.rpm 
 65c9f262dd6b4d66069649ea1e596b4b  mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPcG6AmqjQ0CJFipgRAgdKAKCe5y81j9lidhC+Mjg3Q1XMcAyosQCfe2zE
JfKo2hU2JCc2U3RLbBgqRek=
=vipz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ