Advisories
Mandriva Advisories
|
 |
| Problem Description |
A flaw in how OpenSSL performed Montgomery multiplications was
discovered %that could allow a local attacker to reconstruct
RSA private keys by examining another user's OpenSSL processes
(CVE-2007-3108).
Moritz Jodeit found that OpenSSL's SSL_get_shared_ciphers() function
did not correctly check the size of the buffer it was writing to.
As a result, a remote attacker could exploit this to write one NULL
byte past the end of the applications's cipher list buffer, which could
possibly lead to a denial of service or the execution of arbitrary code
(CVE-2007-5135).
Updated packages have been patched to prevent these issues.
| Updated Packages |
Corporate Server 3.0
2f687b8e796e5c11bfeda56fc250f460 corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.8.C30mdk.i586.rpm 0a136b0188589daa96a275e2a908975f corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.8.C30mdk.i586.rpm 33e77c95c1ed8d2dd987c228db1f0b85 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.8.C30mdk.i586.rpm 92206bcee38e0161642214da33346dde corporate/3.0/i586/openssl-0.9.7c-3.8.C30mdk.i586.rpm 50ae55cf0a49e289928c6322cb6d38a1 corporate/3.0/SRPMS/openssl-0.9.7c-3.8.C30mdk.src.rpm
Corporate Server 3.0/X86_64
e79a1806eccc086a25fe531b4bb960d2 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.8.C30mdk.x86_64.rpm 824675fbf7aa8d32d49f629ebcb15e81 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.8.C30mdk.x86_64.rpm 8ccdb4d500319cd78e24225f8d746ee5 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.8.C30mdk.x86_64.rpm 44581db7a0c584364106030cc1f1ba60 corporate/3.0/x86_64/openssl-0.9.7c-3.8.C30mdk.x86_64.rpm 50ae55cf0a49e289928c6322cb6d38a1 corporate/3.0/SRPMS/openssl-0.9.7c-3.8.C30mdk.src.rpm
Multi Network Firewall 2.0
57c9c59fa9d048e9b707d938a0daa3b1 mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.8.M20mdk.i586.rpm 8681281473c7b2472597456ad77938a9 mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.8.M20mdk.i586.rpm 5d2a191ab92ec741d2546fb79d49e330 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.8.M20mdk.i586.rpm 0d00b0e6cbff0b4dbd4e9c9b3659b6f8 mnf/2.0/i586/openssl-0.9.7c-3.8.M20mdk.i586.rpm 448e7559127aef13218ef2272b671e0d mnf/2.0/SRPMS/openssl-0.9.7c-3.8.M20mdk.src.rpm
Mandriva Linux 2007
5c8d0d9913f050fb578249727ff354ff 2007.0/i586/libopenssl0.9.8-0.9.8b-2.3mdv2007.0.i586.rpm 53c7176ef6b16948aa6d5bb67def299d 2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.3mdv2007.0.i586.rpm 1c8ef1064b4c632af64bc0ec1751ac89 2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.3mdv2007.0.i586.rpm bb608ba18b44a0dfbe36982e6a271b22 2007.0/i586/openssl-0.9.8b-2.3mdv2007.0.i586.rpm 540e96d09fbd35eb2eca24702cc0931d 2007.0/SRPMS/openssl-0.9.8b-2.3mdv2007.0.src.rpm
Mandriva Linux 2007/X86_64
3e23bf1e61fc8a19c7872079011788e6 2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.3mdv2007.0.x86_64.rpm 65671d72b5bb5b915bc01ab2dc846c34 2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.3mdv2007.0.x86_64.rpm c16fd9258d72f6ccc3aaefafc75cd99d 2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.3mdv2007.0.x86_64.rpm ed45fcbd3374c335d074932dff91030b 2007.0/x86_64/openssl-0.9.8b-2.3mdv2007.0.x86_64.rpm 540e96d09fbd35eb2eca24702cc0931d 2007.0/SRPMS/openssl-0.9.8b-2.3mdv2007.0.src.rpm
Corporate Server 4.0
426c94750032db44cef75628fce870f3 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.6.20060mlcs4.i586.rpm 58322f979d059ba5d159673295388811 corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.6.20060mlcs4.i586.rpm 9be093a49f1f39155ee6027142ae5910 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.6.20060mlcs4.i586.rpm 0d8cf221955d4fe023c531864e1834c1 corporate/4.0/i586/openssl-0.9.7g-2.6.20060mlcs4.i586.rpm 147ea629d4b5af8eac458f391284cbca corporate/4.0/SRPMS/openssl-0.9.7g-2.6.20060mlcs4.src.rpm
Corporate Server 4.0/X86_64
4d1bd83a0f0176c39fcc26fbe83e4164 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.6.20060mlcs4.x86_64.rpm dc12b5da6598a34f18a43e04bb0956ac corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.6.20060mlcs4.x86_64.rpm b8c7936de5ceb1a868f45e2128e828f9 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.6.20060mlcs4.x86_64.rpm 39b8c2cfae2941c825d61054f4a04bea corporate/4.0/x86_64/openssl-0.9.7g-2.6.20060mlcs4.x86_64.rpm 147ea629d4b5af8eac458f391284cbca corporate/4.0/SRPMS/openssl-0.9.7g-2.6.20060mlcs4.src.rpm
Mandriva Linux 2007.1
c5aad78d2ba1294bd3039abfcddd8382 2007.1/i586/libopenssl0.9.8-0.9.8e-2.2mdv2007.1.i586.rpm 31bca08992e98aed69c39ff479a18b29 2007.1/i586/libopenssl0.9.8-devel-0.9.8e-2.2mdv2007.1.i586.rpm 06c20e0fb027dce47c3833caddf87a2f 2007.1/i586/libopenssl0.9.8-static-devel-0.9.8e-2.2mdv2007.1.i586.rpm ee5037b0daafcbf083cf02be27419b3d 2007.1/i586/openssl-0.9.8e-2.2mdv2007.1.i586.rpm a2ca18e0e306f519d6011eed118a02c8 2007.1/SRPMS/openssl-0.9.8e-2.2mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64
02d5ae105bc7946b7dc6cfd498c681f4 2007.1/x86_64/lib64openssl0.9.8-0.9.8e-2.2mdv2007.1.x86_64.rpm 2778805e15d75e2bf4ecde66a5b21455 2007.1/x86_64/lib64openssl0.9.8-devel-0.9.8e-2.2mdv2007.1.x86_64.rpm 9003241feaccbc47091e46fa05bc8fb1 2007.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-2.2mdv2007.1.x86_64.rpm d1fbd88ec3ffa6d4df856538b853ca59 2007.1/x86_64/openssl-0.9.8e-2.2mdv2007.1.x86_64.rpm a2ca18e0e306f519d6011eed118a02c8 2007.1/SRPMS/openssl-0.9.8e-2.2mdv2007.1.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.