Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in OpenSSL
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in OpenSSL
ID: MDVSA-2012:006
Distribution: Mandriva
Plattformen: Mandriva Enterprise Server 5.0, Mandriva 2010.1
Datum: Di, 17. Januar 2012, 07:57
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://www.openssl.org/news/secadv_20120104.txt
Applikationen: OpenSSL

Originalnachricht

This is a multi-part message in MIME format...

------------=_1326743828-2333-1044

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:006
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : January 16, 2012
Affected: 2010.1, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in openssl:

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f
performs a MAC check only if certain padding is valid, which makes
it easier for remote attackers to recover plaintext via a padding
oracle attack (CVE-2011-4108).

Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when
X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to
have an unspecified impact by triggering failure of a policy check
(CVE-2011-4109).

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before
1.0.0f does not properly initialize data structures for block cipher
padding, which might allow remote attackers to obtain sensitive
information by decrypting the padding data sent by an SSL peer
(CVE-2011-4576).

The Server Gated Cryptography (SGC) implementation in OpenSSL before
0.9.8s and 1.x before 1.0.0f does not properly handle handshake
restarts, which allows remote attackers to cause a denial of service
via unspecified vectors (CVE-2011-4619).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619
http://www.openssl.org/news/secadv_20120104.txt
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.1:
afa95c1b1efc52b00f763845af45725e
2010.1/i586/libopenssl0.9.8-0.9.8s-0.1mdv2010.2.i586.rpm
bfb9fba942121a98979ae9e922b53a1b
2010.1/i586/libopenssl1.0.0-1.0.0a-1.9mdv2010.2.i586.rpm
0bc4b73013fff6b7cf8b118289dec204
2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.9mdv2010.2.i586.rpm
940dd174dba069977b50dabe16e8b01f
2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.9mdv2010.2.i586.rpm
e46c355b2ed1e50204f03b77ecdbaa54
2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.9mdv2010.2.i586.rpm
2e38206984014928b70803c29f820ab4
2010.1/i586/openssl-1.0.0a-1.9mdv2010.2.i586.rpm
39e24474ff4a35adfc8760c640c5cdf7
2010.1/SRPMS/openssl0.9.8-0.9.8s-0.1mdv2010.2.src.rpm
4f5b24138660a10d54f88a7db7d23ae4
2010.1/SRPMS/openssl-1.0.0a-1.9mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
493d7997720b64503d1223f0acd0ad95
2010.1/x86_64/lib64openssl0.9.8-0.9.8s-0.1mdv2010.2.x86_64.rpm
57fd5e751799263d9efea494b7954121
2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.9mdv2010.2.x86_64.rpm
aa8614ea58fb6e5afc35367304472652
2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.9mdv2010.2.x86_64.rpm
dfe821307ec7e11318a4bd15e37a7475
2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.9mdv2010.2.x86_64.rpm
80423dbb1ba97b8115d000d961c08426
2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.9mdv2010.2.x86_64.rpm
f7fe3031b8b4ed176deb1eb7bd3917e0
2010.1/x86_64/openssl-1.0.0a-1.9mdv2010.2.x86_64.rpm
39e24474ff4a35adfc8760c640c5cdf7
2010.1/SRPMS/openssl0.9.8-0.9.8s-0.1mdv2010.2.src.rpm
4f5b24138660a10d54f88a7db7d23ae4
2010.1/SRPMS/openssl-1.0.0a-1.9mdv2010.2.src.rpm

Mandriva Enterprise Server 5:
420e3b0756b3e2d54f9b3d938ed67705
mes5/i586/libopenssl0.9.8-0.9.8h-3.12mdvmes5.2.i586.rpm
d03e34a594f6650d1ccc0edaf53665ac
mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.12mdvmes5.2.i586.rpm
a76a3e677d942d223ac346c13088ed2e
mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.12mdvmes5.2.i586.rpm
c031589e8f7bc6c87463c334cc74643a
mes5/i586/openssl-0.9.8h-3.12mdvmes5.2.i586.rpm
60a5c08d0f8cf8455d8de874c4a5c536
mes5/SRPMS/openssl-0.9.8h-3.12mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
9bd17d8bcf25f3af4a22fe5938667f50
mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.12mdvmes5.2.x86_64.rpm
3598de5cbab06aa3c5ece65ef0c3cb5e
mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.12mdvmes5.2.x86_64.rpm
4561a4c97e3d8e0f5c2b7478cce73bf5
mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.12mdvmes5.2.x86_64.rpm
d72de8d2a7d5d61bbe1e289e195de87b
mes5/x86_64/openssl-0.9.8h-3.12mdvmes5.2.x86_64.rpm
60a5c08d0f8cf8455d8de874c4a5c536
mes5/SRPMS/openssl-0.9.8h-3.12mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPFFPomqjQ0CJFipgRAl3XAJ98ku9J45p5DbU9rrN6ysGe/RplGQCg1ueY
rXmxnKKkthEOaOLbMi8jRlg=
=HfOo
-----END PGP SIGNATURE-----


------------=_1326743828-2333-1044
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1326743828-2333-1044--
Pro-Linux
Gewinnspiel
Neue Nachrichten
Werbung