Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <security <at> mandriva.com>
Subject: [ MDVSA-2011:137 ] openssl
Newsgroups: gmane.linux.mandrake.security.announce
Date: Wednesday 28th September 2011 17:46:00 UTC (over 5 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:137
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : September 28, 2011
 Affected: 2010.1, 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in openssl:
 
 The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
 earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
 is used for the ECDHE_ECDSA cipher suite, does not properly implement
 curves over binary fields, which makes it easier for context-dependent
 attackers to determine private keys via a timing attack and a lattice
 calculation (CVE-2011-1945).
 
 crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not
 initialize certain structure members, which makes it easier for
 remote attackers to bypass CRL validation by using a nextUpdate value
 corresponding to a time in the past (CVE-2011-3207).
 
 The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during
 processing of handshake messages, which allows remote attackers
 to cause a denial of service (application crash) via out-of-order
 messages that violate the TLS protocol (CVE-2011-3210).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 bd60d1b484309734bc8071f8d56c78d4 
2010.1/i586/libopenssl1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 db2a2d676ab59df2a7077f0888cbc7f5 
2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 bbf3789a5da46dc0dde527352f15bb2d 
2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 9a757b9d019b952696fbbf1bdb80571e 
2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 2527313d11471e17bac3309941f7aaf8 
2010.1/i586/openssl-1.0.0a-1.8mdv2010.2.i586.rpm 
 e9dbe57d404042917b3ed2bf233f2e41 
2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 6c11f02b7a582a4ff2129f3f4183ffdd 
2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 16eb55a62466f8c8bb7b642011dea54a 
2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 080662986ef9f21128c2c4bca3d9e0aa 
2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 b58cfdb41d740a2176ea2f9d2a33cae5 
2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 6a8f48aea469d9183725bd22acfab8cc 
2010.1/x86_64/openssl-1.0.0a-1.8mdv2010.2.x86_64.rpm 
 e9dbe57d404042917b3ed2bf233f2e41 
2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

 Mandriva Linux 2011:
 5fd58662d6a52ac88efe81f989fc9ede 
2011/i586/libopenssl1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 aa9043268df01b6785c988947731908b 
2011/i586/libopenssl-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 3b749c8a41b714e84bd7732cd6ee5089 
2011/i586/libopenssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 77d9dbad979416dd1b4af54b463c9858 
2011/i586/libopenssl-static-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 fb567a8bafc6b42337c85a0f33ff33cb 
2011/i586/openssl-1.0.0d-2.1-mdv2011.0.i586.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm

 Mandriva Linux 2011/X86_64:
 93891e6f060d2079ea9a4a949fe40a25 
2011/x86_64/lib64openssl1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 02a059bdb85b00ebcf029ed62142b5f6 
2011/x86_64/lib64openssl-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 136b35ff7bff01b4791b7b366cff6c88 
2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 1aaf1d105b86c1be2a367d4189c12c3b 
2011/x86_64/lib64openssl-static-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 766878bba443c3d2163451d383591e79 
2011/x86_64/openssl-1.0.0d-2.1-mdv2011.0.x86_64.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOgzHYmqjQ0CJFipgRAsTZAKDW2iAKcrQ2Wn3WUQOZKyrtR0wF/gCdE7Wq
p8MJC4PHvZEv/WH8jrDBGB0=
=oOhw
-----END PGP SIGNATURE-----
 
CD: 4ms