Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2005:179 - Updated openssl packages fix vulnerabilities
From: Mandriva Security Team <security () mandriva com>
Date: Wed, 12 Oct 2005 00:05:29 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           openssl
 Advisory ID:            MDKSA-2005:179
 Date:                   October 11th, 2005

 Affected versions:      10.1, 10.2, 2006.0, Corporate 3.0,
                         Corporate Server 2.1,
                         Multi Network Firewall 2.0
 ______________________________________________________________________

 Problem Description:

 Yutaka Oiwa discovered vulnerability potentially affects applications 
 that use the SSL/TLS server implementation provided by OpenSSL.
 
 Such applications are affected if they use the option 
 SSL_OP_MSIE_SSLV2_RSA_PADDING.  This option is implied by use of
 SSL_OP_ALL, which is intended to work around various bugs in third-
 party software that might prevent interoperability.  The
 SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
 the SSL 2.0 server supposed to prevent active protocol-version rollback
 attacks.  With this verification step disabled, an attacker acting as
 a "man in the middle" can force a client and a server to negotiate the
 SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0.
 The SSL 2.0 protocol is known to have severe cryptographic weaknesses
 and is supported as a fallback only. (CAN-2005-2969)
 
 The current default algorithm for creating "message digests"
 (electronic signatures) for certificates created by openssl is MD5.
 However, this algorithm is not deemed secure any more, and some
 practical attacks have been demonstrated which could allow an attacker
 to forge certificates with a valid certification authority signature
 even if he does not know the secret CA signing key.
 
 To address this issue, openssl has been changed to use SHA-1 by
 default. This is a more appropriate default algorithm for the majority
 of use cases.  If you still want to use MD5 as default, you can revert
 this change by changing the two instances of "default_md = sha1" to
 "default_md = md5" in /usr/{lib,lib64}/ssl/openssl.cnf. (CAN-2005-2946)
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2946
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 2fa715275a4a918b15eb02e402b755bc  10.1/RPMS/libopenssl0.9.7-0.9.7d-1.3.101mdk.i586.rpm
 1912f9be0eccc4b2903616ac2c0d5103  10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.3.101mdk.i586.rpm
 4d51641d38b5e0e8c6be5fcc211ffa3b  10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.3.101mdk.i586.rpm
 6e40220d7461ad8e711aa2ee5a772b1f  10.1/RPMS/openssl-0.9.7d-1.3.101mdk.i586.rpm
 abb721aa2ccf15e555c4f84981366022  10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 5b820a306004c31fcac518aec78bfea3  x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.3.101mdk.x86_64.rpm
 4b506c7086fd330fde0fe724a5bd865c  x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.3.101mdk.x86_64.rpm
 9fb820e394e6da5db74a60d7062a6c23  x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.3.101mdk.x86_64.rpm
 f113ec9a24627d354eaa37db78784d31  x86_64/10.1/RPMS/openssl-0.9.7d-1.3.101mdk.x86_64.rpm
 abb721aa2ccf15e555c4f84981366022  x86_64/10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm

 Mandrivalinux 10.2:
 7448f1bd46305af8ca09c794828bc14d  10.2/RPMS/libopenssl0.9.7-0.9.7e-5.2.102mdk.i586.rpm
 dd17f238c7c4eeb93f330794d28fef20  10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.2.102mdk.i586.rpm
 4d6b82c86b3b7430273e9f7804b448f3  10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.2.102mdk.i586.rpm
 ec6b0d749ed3f7c8b2ee48cea5c104f5  10.2/RPMS/openssl-0.9.7e-5.2.102mdk.i586.rpm
 14554b0fff0abfe1da54b8f9c68c8a75  10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 a34fa268399bce8d59b185df255f1d19  x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.2.102mdk.x86_64.rpm
 3f403f1c36d53bb35174c04badbea2d9  x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.2.102mdk.x86_64.rpm
 68d2a4a298fd37719343c4ade853e22d  x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.2.102mdk.x86_64.rpm
 8b53d1949aa30ca813f27c5dd3bb1062  x86_64/10.2/RPMS/openssl-0.9.7e-5.2.102mdk.x86_64.rpm
 14554b0fff0abfe1da54b8f9c68c8a75  x86_64/10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm

 Mandrivalinux 2006.0:
 bc7f3ba61af3334757c65e1682eb0065  2006.0/RPMS/libopenssl0.9.7-0.9.7g-2.1.20060mdk.i586.rpm
 a15b20362dd7437ff974642af0756d79  2006.0/RPMS/libopenssl0.9.7-devel-0.9.7g-2.1.20060mdk.i586.rpm
 65bab77540badadc2152d7803d13c63f  2006.0/RPMS/libopenssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.i586.rpm
 d06fa459cf871d890bf3a4ff22b85cd7  2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.i586.rpm
 fc0ed1a9eab0dfdb3f35c3cdb46004e8  2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 3b54d300cf1b6889d764e36660d3542d  x86_64/2006.0/RPMS/lib64openssl0.9.7-0.9.7g-2.1.20060mdk.x86_64.rpm
 aa8e520156a9d878ed43179dfcc5210f  x86_64/2006.0/RPMS/lib64openssl0.9.7-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
 8bece33914331ad81e9e88dfef1b4319  x86_64/2006.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
 4a654cfa16e31f450493e59de0cb372c  x86_64/2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.x86_64.rpm
 fc0ed1a9eab0dfdb3f35c3cdb46004e8  x86_64/2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 60451a13eb787c55a9463322b6bdb419  mnf/2.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.M20mdk.i586.rpm
 3a5dae5ff129437461180df9a8dd5b0b  mnf/2.0/RPMS/openssl-0.9.7c-3.3.M20mdk.i586.rpm
 c89dcc035040ed512ab2823b978b5205  mnf/2.0/SRPMS/openssl-0.9.7c-3.3.M20mdk.src.rpm

 Corporate Server 2.1:
 7ce23e8906c2001f93afdbdb544a5659  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.i586.rpm
 26e569e8dd0598bd5f55d1a954989e7b  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.i586.rpm
 c54a45b3cf589095382c1399f0435353  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.i586.rpm
 bc5ff8f4e044678c40b5bae08b263216  corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.i586.rpm
 6fa6d2e82bffdf044663ccd40b14bba3  corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 4b85f119fb4908f785ee5e4cd6f81312  x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.x86_64.rpm
 d366f2f72a511fbb4887de0d17303339  x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
 b3a4d7295c802dc5a486022bffe8f8aa  x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
 cd0e605ae88e746d8124f550ff26c723  x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.x86_64.rpm
 6fa6d2e82bffdf044663ccd40b14bba3  x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm

 Corporate 3.0:
 e77b2aeadf368cac390fda472f96f76d  corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.C30mdk.i586.rpm
 e3e077097643c9247b0e866c0ea08c9d  corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.3.C30mdk.i586.rpm
 eb61ee6a8464a43e951102fa5a9df4b0  corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.i586.rpm
 fa6ce3b5dc685d567040061676d047ba  corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.i586.rpm
 502e04472212778c866211c6179f4127  corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 bdc1b94ef64f4c0c02948d8ec08184b1  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.3.C30mdk.x86_64.rpm
 f2b65309719e499eb1a9d9f857c51921  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
 48e9d2cd78e4a44a4bd61542a47f2d5b  x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
 3aef366b6921b180f304ae1a8c10ba78  x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.x86_64.rpm
 502e04472212778c866211c6179f4127  x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTKeomqjQ0CJFipgRAu3NAKDlk6fzLxUqtjUzDcV7IkgF/vKLdQCgwCki
DUI4033wSRXeFbCegR++iRo=
=7gQt
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • MDKSA-2005:179 - Updated openssl packages fix vulnerabilities Mandriva Security Team (Oct 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault