Advisories

Mandriva Advisories

Package name	openssl
Date	September 6th, 2006
Advisory ID	MDKSA-2006:161
Affected versions	CS3.0, MNF2.0, 2006.0
Synopsis	Updated openssl packages fix vulnerability

Problem Description

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures where an RSA key with a small exponent used could be
vulnerable to forgery of a PKCS #1 v1.5 signature signed by that
key.

Any software using OpenSSL to verify X.509 certificates is potentially
vulnerable to this issue, as well as any other use of PKCS #1 v1.5,
including software uses OpenSSL for SSL or TLS.

Updated packages are patched to address this issue.

Updated Packages

Corporate Server 3.0

 40f6d085215789e4bb9d5d144cee4519  corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.5.C30mdk.i586.rpm
 2fd00f3bd6efae0284aaa983073c8ba5  corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.5.C30mdk.i586.rpm
 b368995e304f72c862fc34c6e61f35bf  corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.5.C30mdk.i586.rpm
 654f5905b939a1c6126610b7e975f8f7  corporate/3.0/RPMS/openssl-0.9.7c-3.5.C30mdk.i586.rpm
 ccc3151e1c5aefcc98aa485596c2b3da  corporate/3.0/SRPMS/openssl-0.9.7c-3.5.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 017fd8538e3c3947dfea2c595471821b  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.5.C30mdk.x86_64.rpm
 b50ec610af735c08066788a612504b2c  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.5.C30mdk.x86_64.rpm
 ea0f654bdaf22c3052380f0195b7304d  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.5.C30mdk.x86_64.rpm
 9fad7d0621e268cf00cb7b4563b688b0  x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.5.C30mdk.x86_64.rpm
 ccc3151e1c5aefcc98aa485596c2b3da  x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.5.C30mdk.src.rpm

Multi Network Firewall 2.0

 8ca726c9ffb94b6ae9a908d2face1f45  mnf/2.0/RPMS/libopenssl0.9.7-0.9.7c-3.5.M20mdk.i586.rpm
 eeabbfcc0760af52214ac1c9feec2f3b  mnf/2.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.5.M20mdk.i586.rpm
 abde84e0ec02fd29130f377513e6197c  mnf/2.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.5.M20mdk.i586.rpm
 3e2297db13861a1f5cff2cfa4f07a087  mnf/2.0/RPMS/openssl-0.9.7c-3.5.M20mdk.i586.rpm
 989ac61e16977199c36e43f59f80aafc  mnf/2.0/SRPMS/openssl-0.9.7c-3.5.M20mdk.src.rpm

Mandriva Linux 2006

 c17ba5cf8e5b881e4ad1a589a3f1edce  2006.0/RPMS/libopenssl0.9.7-0.9.7g-2.3.20060mdk.i586.rpm
 97f4dc513832ebbeaf23a5a2d7db9cb3  2006.0/RPMS/libopenssl0.9.7-devel-0.9.7g-2.3.20060mdk.i586.rpm
 fab62030b41168f237028be1263c5d0f  2006.0/RPMS/libopenssl0.9.7-static-devel-0.9.7g-2.3.20060mdk.i586.rpm
 afd477e58130b17633ac35691e519484  2006.0/RPMS/openssl-0.9.7g-2.3.20060mdk.i586.rpm
 77036eaf3b8326066a93ffc2e27841f3  2006.0/SRPMS/openssl-0.9.7g-2.3.20060mdk.src.rpm

Mandriva Linux 2006/X86_64

 6176b92d5c947ebb0c321f22f7b6e31d  x86_64/2006.0/RPMS/lib64openssl0.9.7-0.9.7g-2.3.20060mdk.x86_64.rpm
 cb698592f2b76e0e9421a5bf13e7e070  x86_64/2006.0/RPMS/lib64openssl0.9.7-devel-0.9.7g-2.3.20060mdk.x86_64.rpm
 24bd46ecf22b8233b9d99a81824fe4f1  x86_64/2006.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7g-2.3.20060mdk.x86_64.rpm
 c1607ab1e2020f53353832d592f9019a  x86_64/2006.0/RPMS/openssl-0.9.7g-2.3.20060mdk.x86_64.rpm
 77036eaf3b8326066a93ffc2e27841f3  x86_64/2006.0/SRPMS/openssl-0.9.7g-2.3.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer