Sicherheit: Mangelnde Prüfung von Zertifikaten in openssl

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1231474814-14940-7234

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:001
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : January 8, 2009
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A vulnerability was found by the Google Security Team with how OpenSSL
checked the verification of certificates. An attacker in control of a
malicious server or able to effect a man-in-the-middle attack, could
present a malformed SSL/TLS signature from a certificate chain to a
vulnerable client, which would then bypass the certificate validation
(CVE-2008-5077).

The updated packages have been patched to prevent this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
6585e08eab279e6a249630385683bf43
2008.0/i586/libopenssl0.9.8-0.9.8e-8.2mdv2008.0.i586.rpm
b5955c2c0a2cc24abd9f5f3ebc7d0148
2008.0/i586/libopenssl0.9.8-devel-0.9.8e-8.2mdv2008.0.i586.rpm
7c92323d7aa583b936ef908f3f6ac867
2008.0/i586/libopenssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.i586.rpm
2b791168311c3ecba4f8b7acd24e64ab
2008.0/i586/openssl-0.9.8e-8.2mdv2008.0.i586.rpm
cf51c48e4c05ac5357f6076fbaeff0a5
2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
6259ac00622227eee59f888bc516bc3a
2008.0/x86_64/lib64openssl0.9.8-0.9.8e-8.2mdv2008.0.x86_64.rpm
fe745327c1bbb599e025a5b90bb05817
2008.0/x86_64/lib64openssl0.9.8-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm
bdb7113b06aab0c4d77cbf86bcf208c2
2008.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm
d4fda198a80b88c7caaf947af0866df8
2008.0/x86_64/openssl-0.9.8e-8.2mdv2008.0.x86_64.rpm
cf51c48e4c05ac5357f6076fbaeff0a5
2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm

Mandriva Linux 2008.1:
4a0be98cd3fb82a22e3836c5ae81ed37
2008.1/i586/libopenssl0.9.8-0.9.8g-4.2mdv2008.1.i586.rpm
277058ecc1d26d24bf4da5ea27d4a31f
2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.2mdv2008.1.i586.rpm
29b08a5a233f1987c4ca98aaa4e97ac5
2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.i586.rpm
e47be879abc0c089a8f380469a6a62c8
2008.1/i586/openssl-0.9.8g-4.2mdv2008.1.i586.rpm
7395d0e10c1938be16261baba05da55c
2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
71a69804b928a9f7856f65fee332c5ab
2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.2mdv2008.1.x86_64.rpm
e9c5d1d4895a5a679945bde62df6f988
2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm
7f2d66839f93e2083dcd1b1f27ca4ddf
2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm
40408ffdf13faa6c79b28c764bb88b22
2008.1/x86_64/openssl-0.9.8g-4.2mdv2008.1.x86_64.rpm
7395d0e10c1938be16261baba05da55c
2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm

Mandriva Linux 2009.0:
2512f6a41e9a8e7bcff53e5737029689
2009.0/i586/libopenssl0.9.8-0.9.8h-3.1mdv2009.0.i586.rpm
d7774faaed2866da5bb05cbcf07604da
2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.1mdv2009.0.i586.rpm
ed99160bdf1ce33fa81dc47c71915318
2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.i586.rpm
6116fafed014596ee1e6ec43db93133f
2009.0/i586/openssl-0.9.8h-3.1mdv2009.0.i586.rpm
8ad6b0d8aff3bb992d716668450aef3a
2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
d2cc04fc0bdaeea8e4cc5d7ab4e997fd
2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.1mdv2009.0.x86_64.rpm
b537da3113c75f87c4fa8d66be2d6797
2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm
ef9add2bec302b324b9c0690cf79b57c
2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm
16b8c11f4d6dedf2e4176bfc55607c15
2009.0/x86_64/openssl-0.9.8h-3.1mdv2009.0.x86_64.rpm
8ad6b0d8aff3bb992d716668450aef3a
2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm

Corporate 3.0:
5e8f4b7c1e646d0e16af2d83238a011b
corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm
5115d911b9a6842fd0c3495429c7c2f2
corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.9.C30mdk.i586.rpm
b934b4f9686deef6cb1eba750ab36288
corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.i586.rpm
11ec8a4df261d4d4fa9957d33be08604
corporate/3.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm
dcd1a4feb1a04302c54465dce7c7c506
corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm

Corporate 3.0/X86_64:
64521521330df90b42c9c37cafe50b54
corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.9.C30mdk.x86_64.rpm
3a85c30c0511e42ec76c80e08efe5192
corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.9.C30mdk.x86_64.rpm
12af66f30c5022d8d29b57a9131458c3
corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.x86_64.rpm
62f5c54be99ddc9458670ae04b24d3f0
corporate/3.0/x86_64/openssl-0.9.7c-3.9.C30mdk.x86_64.rpm
dcd1a4feb1a04302c54465dce7c7c506
corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm

Corporate 4.0:
60c64d9ead2b01fb39058a705fcb95dc
corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.7.20060mlcs4.i586.rpm
fb4d5555c211b375707bf7d194e74776
corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.i586.rpm
c13ff967b4310e5a790e85595f940b7e
corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.i586.rpm
e9a96a389c00ee674d689e3747c3e501
corporate/4.0/i586/openssl-0.9.7g-2.7.20060mlcs4.i586.rpm
4df38ebd98b467bdee0d4a24d3b0158f
corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
de71d0bbc98589afdf03b7a99aad7103
corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.7.20060mlcs4.x86_64.rpm
0c330148b55987e50f491c7e4d3b65a5
corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm
ce64720b2685fada3e88a5725c43b532
corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm
29f0f40602184d7f366e1d1d8e5c03e4
corporate/4.0/x86_64/openssl-0.9.7g-2.7.20060mlcs4.x86_64.rpm
4df38ebd98b467bdee0d4a24d3b0158f
corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
74a4beac1c01f9fd888dd5eea356f7be
mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm
c809a08f26051c7a3931ccda00c94429
mnf/2.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm
8ae9f7004b77dca2317980ba4215dc92
mnf/2.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJZqIYmqjQ0CJFipgRAqRNAKDNNvWgsIk0/eh5f8539zOJ7dtnnQCeJezP
ZE8i9Ju80WcdhXe9yIoPevE=
=9n1t
-----END PGP SIGNATURE-----

------------=_1231474814-14940-7234
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1231474814-14940-7234--