From: Mandriva Security Team <security@mandriva.com.>
To: [email protected]Subject: MDKSA-2005:179 - Updated openssl packages fix vulnerabilities
Message-Id: <E1EPZk0-0005f5-Ut@mercury.mandriva.com.>
Sender: QATeam User <qateam@mercury.mandriva.com.>
Date: Wed, 12 Oct 2005 00:05:28 -0600
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2005:179
Date: October 11th, 2005
Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0,
Corporate Server 2.1,
Multi Network Firewall 2.0
______________________________________________________________________
Problem Description:
Yutaka Oiwa discovered vulnerability potentially affects applications
that use the SSL/TLS server implementation provided by OpenSSL.
Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in third-
party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
the SSL 2.0 server supposed to prevent active protocol-version rollback
attacks. With this verification step disabled, an attacker acting as
a "man in the middle" can force a client and a server to negotiate the
SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0.
The SSL 2.0 protocol is known to have severe cryptographic weaknesses
and is supported as a fallback only. (CAN-2005-2969)
The current default algorithm for creating "message digests"
(electronic signatures) for certificates created by openssl is MD5.
However, this algorithm is not deemed secure any more, and some
practical attacks have been demonstrated which could allow an attacker
to forge certificates with a valid certification authority signature
even if he does not know the secret CA signing key.
To address this issue, openssl has been changed to use SHA-1 by
default. This is a more appropriate default algorithm for the majority
of use cases. If you still want to use MD5 as default, you can revert
this change by changing the two instances of "default_md = sha1" to
"default_md = md5" in /usr/{lib,lib64}/ssl/openssl.cnf. (CAN-2005-2946)
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2946http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
______________________________________________________________________
Updated Packages:
Mandrivalinux 10.1:
2fa715275a4a918b15eb02e402b755bc 10.1/RPMS/libopenssl0.9.7-0.9.7d-1.3.101mdk.i586.rpm
1912f9be0eccc4b2903616ac2c0d5103 10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.3.101mdk.i586.rpm
4d51641d38b5e0e8c6be5fcc211ffa3b 10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.3.101mdk.i586.rpm
6e40220d7461ad8e711aa2ee5a772b1f 10.1/RPMS/openssl-0.9.7d-1.3.101mdk.i586.rpm
abb721aa2ccf15e555c4f84981366022 10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Mandrivalinux 10.1/X86_64:
5b820a306004c31fcac518aec78bfea3 x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.3.101mdk.x86_64.rpm
4b506c7086fd330fde0fe724a5bd865c x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.3.101mdk.x86_64.rpm
9fb820e394e6da5db74a60d7062a6c23 x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.3.101mdk.x86_64.rpm
f113ec9a24627d354eaa37db78784d31 x86_64/10.1/RPMS/openssl-0.9.7d-1.3.101mdk.x86_64.rpm
abb721aa2ccf15e555c4f84981366022 x86_64/10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Mandrivalinux 10.2:
7448f1bd46305af8ca09c794828bc14d 10.2/RPMS/libopenssl0.9.7-0.9.7e-5.2.102mdk.i586.rpm
dd17f238c7c4eeb93f330794d28fef20 10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.2.102mdk.i586.rpm
4d6b82c86b3b7430273e9f7804b448f3 10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.2.102mdk.i586.rpm
ec6b0d749ed3f7c8b2ee48cea5c104f5 10.2/RPMS/openssl-0.9.7e-5.2.102mdk.i586.rpm
14554b0fff0abfe1da54b8f9c68c8a75 10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandrivalinux 10.2/X86_64:
a34fa268399bce8d59b185df255f1d19 x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.2.102mdk.x86_64.rpm
3f403f1c36d53bb35174c04badbea2d9 x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.2.102mdk.x86_64.rpm
68d2a4a298fd37719343c4ade853e22d x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.2.102mdk.x86_64.rpm
8b53d1949aa30ca813f27c5dd3bb1062 x86_64/10.2/RPMS/openssl-0.9.7e-5.2.102mdk.x86_64.rpm
14554b0fff0abfe1da54b8f9c68c8a75 x86_64/10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandrivalinux 2006.0:
bc7f3ba61af3334757c65e1682eb0065 2006.0/RPMS/libopenssl0.9.7-0.9.7g-2.1.20060mdk.i586.rpm
a15b20362dd7437ff974642af0756d79 2006.0/RPMS/libopenssl0.9.7-devel-0.9.7g-2.1.20060mdk.i586.rpm
65bab77540badadc2152d7803d13c63f 2006.0/RPMS/libopenssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.i586.rpm
d06fa459cf871d890bf3a4ff22b85cd7 2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.i586.rpm
fc0ed1a9eab0dfdb3f35c3cdb46004e8 2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
Mandrivalinux 2006.0/X86_64:
3b54d300cf1b6889d764e36660d3542d x86_64/2006.0/RPMS/lib64openssl0.9.7-0.9.7g-2.1.20060mdk.x86_64.rpm
aa8e520156a9d878ed43179dfcc5210f x86_64/2006.0/RPMS/lib64openssl0.9.7-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
8bece33914331ad81e9e88dfef1b4319 x86_64/2006.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.x86_64.rpm
4a654cfa16e31f450493e59de0cb372c x86_64/2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.x86_64.rpm
fc0ed1a9eab0dfdb3f35c3cdb46004e8 x86_64/2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
Multi Network Firewall 2.0:
60451a13eb787c55a9463322b6bdb419 mnf/2.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.M20mdk.i586.rpm
3a5dae5ff129437461180df9a8dd5b0b mnf/2.0/RPMS/openssl-0.9.7c-3.3.M20mdk.i586.rpm
c89dcc035040ed512ab2823b978b5205 mnf/2.0/SRPMS/openssl-0.9.7c-3.3.M20mdk.src.rpm
Corporate Server 2.1:
7ce23e8906c2001f93afdbdb544a5659 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.i586.rpm
26e569e8dd0598bd5f55d1a954989e7b corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.i586.rpm
c54a45b3cf589095382c1399f0435353 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.i586.rpm
bc5ff8f4e044678c40b5bae08b263216 corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.i586.rpm
6fa6d2e82bffdf044663ccd40b14bba3 corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate Server 2.1/X86_64:
4b85f119fb4908f785ee5e4cd6f81312 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.x86_64.rpm
d366f2f72a511fbb4887de0d17303339 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
b3a4d7295c802dc5a486022bffe8f8aa x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.x86_64.rpm
cd0e605ae88e746d8124f550ff26c723 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.x86_64.rpm
6fa6d2e82bffdf044663ccd40b14bba3 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate 3.0:
e77b2aeadf368cac390fda472f96f76d corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.C30mdk.i586.rpm
e3e077097643c9247b0e866c0ea08c9d corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.3.C30mdk.i586.rpm
eb61ee6a8464a43e951102fa5a9df4b0 corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.i586.rpm
fa6ce3b5dc685d567040061676d047ba corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.i586.rpm
502e04472212778c866211c6179f4127 corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
bdc1b94ef64f4c0c02948d8ec08184b1 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.3.C30mdk.x86_64.rpm
f2b65309719e499eb1a9d9f857c51921 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
48e9d2cd78e4a44a4bd61542a47f2d5b x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.x86_64.rpm
3aef366b6921b180f304ae1a8c10ba78 x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.x86_64.rpm
502e04472212778c866211c6179f4127 x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDTKeomqjQ0CJFipgRAu3NAKDlk6fzLxUqtjUzDcV7IkgF/vKLdQCgwCki
DUI4033wSRXeFbCegR++iRo=
=7gQt
-----END PGP SIGNATURE-----