Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA-1970-1] New openssl packages fix denial of service
From: Stefan Fritsch <sf () debian org>
Date: Wed, 13 Jan 2010 18:47:58 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1970-1                  security () debian org
http://www.debian.org/security/                           Stefan Fritsch
January 13, 2010                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openssl
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2009-4355

It was discovered that a significant memory leak could occur in openssl,
related to the reinitialization of zlib. This could result in a remotely
exploitable denial of service vulnerability when using the Apache httpd
server in a configuration where mod_ssl, mod_php5, and the php5-curl
extension are loaded.

The old stable distribution (etch) is not affected by this issue.

For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny6.

The packages for the arm architecture are not included in this advisory.
They will be released as soon as they become available.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon. The issue does not seem to be
exploitable with the apache2 package contained in squeeze/sid.

We recommend that you upgrade your openssl packages. You also need to
restart your Apache httpd server to make sure it uses the updated
libraries.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

If you use apache2, you should restart it to make sure that it uses the
updated libraries:

/etc/init.d/apache2 restart

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
    Size/MD5 checksum:  3354792 acf70a16359bf3658bdfb74bda1c4419
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc
    Size/MD5 checksum:     1973 3240bf459cdb8947e48f2dbefe57a280
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.diff.gz
    Size/MD5 checksum:    59104 06bb67baea434b022552960e6cd0f316

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_alpha.udeb
    Size/MD5 checksum:   722026 684030ca277ee132aedb6377b8d7f4e9
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb
    Size/MD5 checksum:  1028856 7ee53ab22e9b6211e4a043dcebe8c91a
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_alpha.deb
    Size/MD5 checksum:  2813580 c5623a1bc1363cdda859a7fb7821f26e
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_alpha.deb
    Size/MD5 checksum:  4369342 a5c5c8e0fabeab67421ddcd3143fc14e
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_alpha.deb
    Size/MD5 checksum:  2582954 e78239c77c259265884f0fc3a916c1da

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_amd64.udeb
    Size/MD5 checksum:   638372 b6aefcac5fe4c7b506fd328594a7ef1e
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb
    Size/MD5 checksum:   975718 d993a3bf5c2b714f34241d4129c5cd91
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_amd64.deb
    Size/MD5 checksum:  1043198 c4d0fa66bbf6bb9a85a5c926d6d32823
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_amd64.deb
    Size/MD5 checksum:  2242218 4eabde020e8cbcab26342fa0ce1c6d94
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_amd64.deb
    Size/MD5 checksum:  1627524 dc09c2e462fe448ed63fe884dbc03c9c

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_armel.deb
    Size/MD5 checksum:  1030998 d505cd8eb7543ca6726fdc91de4d823a
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb
    Size/MD5 checksum:   850364 c90307d3eb1fc6b9c0a88cfe3f3ce49e
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_armel.deb
    Size/MD5 checksum:  1508384 7f7e664d2c2187df7314c16963bcbec4
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_armel.deb
    Size/MD5 checksum:  2100080 23b91062f109f6a5b8038142b96aa6ac
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_armel.udeb
    Size/MD5 checksum:   540714 a27289a8f7c165c9a1d3bc1e5e47d860

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_hppa.deb
    Size/MD5 checksum:   968454 307320e4435ac4f745c4589edac24c44
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb
    Size/MD5 checksum:  1524864 a385c063f0c7bb11d03f0b10af0ae9e2
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_hppa.deb
    Size/MD5 checksum:  2269664 3b20cf2dc9939fe2e7b3f3d0a2ab8022
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_hppa.deb
    Size/MD5 checksum:  1046148 7093672ffc82c1f073e7bd9b362622d6
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_hppa.udeb
    Size/MD5 checksum:   634496 0e4ca720c1f5f756160d5658b6876ace

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_i386.deb
    Size/MD5 checksum:  2111886 07b55073b62f613cc0866f100d7da71a
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb
    Size/MD5 checksum:   591656 24ec3a4b4a96ddfdec5aa478eb31d0b0
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_i386.deb
    Size/MD5 checksum:  5389130 70fd24d33bd15049405591f9fc2bbcd1
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_i386.deb
    Size/MD5 checksum:  1036390 edeadbfad4cb91701d0d854a809f587d
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_i386.deb
    Size/MD5 checksum:  2975114 5e64360f2e6dd5ac7c01be5700352c3e

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_ia64.deb
    Size/MD5 checksum:  1091724 02f18d38bd0d81ad842c0a98e717e0d6
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_ia64.deb
    Size/MD5 checksum:  1282602 288f179800dc55c7a4329b11a6d8606d
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_ia64.udeb
    Size/MD5 checksum:   865448 1897cc56f80ba69a6436e35cab884426
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_ia64.deb
    Size/MD5 checksum:  2659298 b0618ea500638424b18abc94e4116b8e
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_ia64.deb
    Size/MD5 checksum:  1466720 02f43deb94f7ca8c7fc14726e0c546e2

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mips.deb
    Size/MD5 checksum:  2305674 af7113bfec7e8b0e68df37ed5f738f64
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mips.deb
    Size/MD5 checksum:  1025046 4e292bdc8f72ed8501e5023feb8b02ca
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mips.udeb
    Size/MD5 checksum:   585108 54d6ca56986ed39dabd7f4abe9d39fea
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mips.deb
    Size/MD5 checksum:  1624960 7917a77cac88a712d07667b3a52f512c
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mips.deb
    Size/MD5 checksum:   899692 d91d59db784860acb0d1754e1e3ae6dc

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mipsel.udeb
    Size/MD5 checksum:   572340 f20f86629cf0413e991ada8d8709ab6a
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mipsel.deb
    Size/MD5 checksum:  2295270 291cd9b3b9716927c199e36ac99cfcdd
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mipsel.deb
    Size/MD5 checksum:  1588064 7a33af46eb5c6fdf29ecd4ccc72fd57a
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mipsel.deb
    Size/MD5 checksum:  1012028 2353015991c7ca5942461695029eba00
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mipsel.deb
    Size/MD5 checksum:   885438 835d6a08a8d0d3dfd12969df207749b1

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_powerpc.deb
    Size/MD5 checksum:  1035248 957678dd206e9da5eeb00812110ac4cc
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_powerpc.deb
    Size/MD5 checksum:  1643378 515ead9be6696f9f7cee90acad723e8a
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_powerpc.udeb
    Size/MD5 checksum:   656142 1c55ca2a303a068dc58b48e41106a372
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_powerpc.deb
    Size/MD5 checksum:  2244176 14b5fae6837849223de16552f48afd96
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_powerpc.deb
    Size/MD5 checksum:  1000474 d5b0c8be8037fa8eb31e128195d73777

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_s390.deb
    Size/MD5 checksum:  1602212 05dc99a65418f046330904a95c6e521d
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_s390.udeb
    Size/MD5 checksum:   692806 efbc1a57f8d002259252d3279bee81d0
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_s390.deb
    Size/MD5 checksum:  1051028 5b3fb31b94c4a6bf6a8d2612a062e665
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_s390.deb
    Size/MD5 checksum:  1024346 a2189af0b6688ed65478cb88b818754b
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_s390.deb
    Size/MD5 checksum:  2231392 1066a2bce93b8eddc9a030bdf0529ced

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_sparc.deb
    Size/MD5 checksum:  2289642 ce5da789600c428462beb658b427d781
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_sparc.deb
    Size/MD5 checksum:  1044934 f75ef304db194c15ea2de34f841b5825
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_sparc.deb
    Size/MD5 checksum:  2141914 cab94489e491e76c7718dd8f88f89049
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_sparc.udeb
    Size/MD5 checksum:   580378 2bfe10092e4cb83d8f4602a3f48ddb75
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_sparc.deb
    Size/MD5 checksum:  3873244 ad31823167dbebe72337f242a2f1cb06


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLThSzbxelr8HyTqQRAm+vAJ0frlXwfNDQowBWjhIIrV7xAvWSSwCgwQLq
okEtFWyu9HXkSwJF4kW2+kc=
=NA8j
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA-1970-1] New openssl packages fix denial of service Stefan Fritsch (Jan 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]