Advisories
Mandriva Advisories
|
 |
| Problem Description |
Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The
parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which
could be triggered by a remote attacker by sending a carefully-crafted
SSL client certificate to an application. Depending upon the
application targetted, the effects seen will vary; in some cases a DoS
(Denial of Service) could be performed, in others nothing noticeable
or adverse may happen. These two vulnerabilities have been assigned
CAN-2003-0543 and CAN-2003-0544.
Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain
ASN.1 encodings that are rejected as invalid by the parser can trigger
a bug in deallocation of a structure, leading to a double free. This
can be triggered by a remote attacker by sending a carefully-crafted
SSL client certificate to an application. This vulnerability may be
exploitable to execute arbitrary code. This vulnerability has been
assigned CAN-2003-0545.
The packages provided have been built with patches provided by the
OpenSSL group that resolve these issues.
A number of server applications such as OpenSSH and Apache that make
use of OpenSSL need to be restarted after the update has been applied
to ensure that they are protected from these issues. Users are
encouraged to restart all of these services or reboot their systems.
| Updated Packages |
Mandrakelinux 8.2
e8d13a3adbd679a0c1cd15dd28eb02f1 8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 4b783a98f4cc48be8a6b680a92f374ce 8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm 0481e5edacc8985d7255266fd136ceba 8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm
Mandrakelinux 9.0
ec80ef980212f5bf294f147e5bc19f76 9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb 9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
Mandrakelinux 9.1
42365cfe8a9214a747bd1fa6329baec8 9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm a3a5046af719b864a337ce432e694a8b 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm 2e879f9d5349458c5653e97f20cf2218 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm cf9bc9fc1cce8841d3cdb1d9fcd8b313 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm b475cc257c14dbaccd9007afa14096f5 9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm
Mandrakelinux 9.1/PPC
915f8ab4ea91e0d876c9204b1f3699b0 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm fafb4ac4c88c321d3c8fb7fdba54bac4 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm 184be4bdf922fbc28b590a71b7cf8c10 ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm 09e1bd3c05323d10d8002a44dbbc85dd ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm cfbcacc68e2585a5fcbbeb8c9fc3b0d7 ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm
Mandrakelinux 9.2
db717c9a2e8f98905290d341e799c7b2 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm 76ba7c153a75c5dcfeae9f9f16f001e4 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm 7655e50f898e4e4d368cd8e47d38806d 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm 3f846e75cfdbdd9e818376474e1e54c0 9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm 738181704cb49e34d982a5b4224cc66c 9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm
Mandrakelinux 9.2/AMD64
ca0c41a9170a10c229f684be684868f7 amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-5.1.92mdk.amd64.rpm 8af5795542a822e90fc77639fa5495da amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-5.1.92mdk.amd64.rpm 5b62e9e306b30bab44a03129c0b70583 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-5.1.92mdk.amd64.rpm c180a3b579ad35030e6a89fbf5b85bcb amd64/9.2/RPMS/openssl-0.9.7b-5.1.92mdk.amd64.rpm 456833256d010d5df32490ce8b122a37 amd64/9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm
Multi Network Firewall 8.2
e8d13a3adbd679a0c1cd15dd28eb02f1 mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm
Corporate Server 2.1
ec80ef980212f5bf294f147e5bc19f76 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
Corporate Server 2.1/X86_64
eab60b3828aeec0e2717890e51a90e76 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm 19d8a676a11293d8e6acb429bed63a99 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm 5eb3936b8fade73ca1c334d67edad3ae x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm 9df6c6e820719ac33744e1708621bdf3 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm 6982c0adf01f00ea5d49deb24011c278 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://www.kb.cert.org/vuls/id/935264
http://www.kb.cert.org/vuls/id/380864
http://www.kb.cert.org/vuls/id/255484
http://www.openssl.org/news/secadv_20030930.txt
http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.