The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[USN-522-1] OpenSSL vulnerabilities


<< Previous INDEX Search src / Print Next >>
Date: Fri, 28 Sep 2007 18:32:42 -0700
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-522-1] OpenSSL vulnerabilities
Message-ID: <20070929013242.GH23742@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="Thv7PGoFpDPJ7Oar"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.300 $
X-HELO: gorgon.outflux.net
X-Scanned-By: MIMEDefang 2.57 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru


--Thv7PGoFpDPJ7Oar
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
Ubuntu Security Notice USN-522-1         September 29, 2007
openssl vulnerabilities
CVE-2007-3108, CVE-2007-5135
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libssl0.9.8                     0.9.8a-7ubuntu0.4

Ubuntu 6.10:
  libssl0.9.8                     0.9.8b-2ubuntu2.1

Ubuntu 7.04:
  libssl0.9.8                     0.9.8c-4ubuntu0.1

After a standard system upgrade you need to reboot your computer to
affect the necessary changes.

Details follow:

It was discovered that OpenSSL did not correctly perform Montgomery
multiplications.  Local attackers might be able to reconstruct RSA
private keys by examining another user's OpenSSL processes. (CVE-2007-3108)

Moritz Jodeit discovered that OpenSSL's SSL_get_shared_ciphers function
did not correctly check the size of the buffer it was writing to.
A remote attacker could exploit this to write one NULL byte past the end of
an application's cipher list buffer, possibly leading to arbitrary code
execution or a denial of service. (CVE-2007-5135)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4.diff.gz
      Size/MD5:    40104 abaa56ceffcfafd0d628fc68b1c83675
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4.dsc
      Size/MD5:      814 e348ddbc2703e3dda91c500531cf4f45
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.or=
ig.tar.gz
      Size/MD5:  3271435 1d16c727c10185e4d694f87f5e424ee1

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8a-7ubuntu0.4_amd64.udeb
      Size/MD5:   571738 9e614030df1cc56597aa4e7a7df23d18
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a=
-7ubuntu0.4_amd64.deb
      Size/MD5:  2167362 c46ae159491e08e6df452617f069fb1a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8a-7ubuntu0.4_amd64.deb
      Size/MD5:  1682190 3f8e4f0e18004602d6d05200d1ceaa59
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
a-7ubuntu0.4_amd64.deb
      Size/MD5:   875108 fde0f7829a2684230b42b9aa37474a87
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4_amd64.deb
      Size/MD5:   984620 3c835a22e594cd97d7286944c94144bb

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8a-7ubuntu0.4_i386.udeb
      Size/MD5:   509504 7461427863f8fb2515f4e666a445eb09
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a=
-7ubuntu0.4_i386.deb
      Size/MD5:  2023780 d20f64ea8137c4c9aed26e911078bd15
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8a-7ubuntu0.4_i386.deb
      Size/MD5:  5051744 e377b372e70216b7c913229c840fe01e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
a-7ubuntu0.4_i386.deb
      Size/MD5:  2595078 4d10155df912f64bb004d154b942bea1
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4_i386.deb
      Size/MD5:   976114 4cf728c1f64e50634489c6c9838eae69

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8a-7ubuntu0.4_powerpc.udeb
      Size/MD5:   557892 32b64e8623c7f77c4d8c2a26fa58ff90
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a=
-7ubuntu0.4_powerpc.deb
      Size/MD5:  2181178 4e1f7491e3801576114ceac6235199d9
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8a-7ubuntu0.4_powerpc.deb
      Size/MD5:  1726640 0da13816bfddf51e4b306c3aa78c466e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
a-7ubuntu0.4_powerpc.deb
      Size/MD5:   861466 d2650c1bfa597edefd32fa380bee42ec
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4_powerpc.deb
      Size/MD5:   980256 3e1b6dec9136ba3c9456dc4301a105c5

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8a-7ubuntu0.4_sparc.udeb
      Size/MD5:   530816 8a79b8c47ab103c6fe308c35fc73e1a6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a=
-7ubuntu0.4_sparc.deb
      Size/MD5:  2092694 fd51d17a31a87f289860621e3ceef1c0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8a-7ubuntu0.4_sparc.deb
      Size/MD5:  3941790 24f88f1ec00a33da9af06476cd24c845
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
a-7ubuntu0.4_sparc.deb
      Size/MD5:  2091088 3a3780f90853dfe75d0dfe361ca387a2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7u=
buntu0.4_sparc.deb
      Size/MD5:   988320 08ed566f5fb60ff6211fd15d188bc9d7

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1.diff.gz
      Size/MD5:    47085 11e24acb96e5a9ab984a7f0f52eaccee
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1.dsc
      Size/MD5:      815 0edc3573b1bf7cb3fcee66dfb5531030
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b.or=
ig.tar.gz
      Size/MD5:  3279283 12cedbeb6813a0d7919dbf1f82134b86

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8b-2ubuntu2.1_amd64.udeb
      Size/MD5:   580868 ea4ca3f339aa81ac94cb6430a66e4732
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b=
-2ubuntu2.1_amd64.deb
      Size/MD5:  2180120 73efee92606753a9d44ef2f14e513650
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8b-2ubuntu2.1_amd64.deb
      Size/MD5:  1637050 5d20af66d19892f44b9c16932fda98cb
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
b-2ubuntu2.1_amd64.deb
      Size/MD5:   889090 1c1e0ac246ea81ab44dea11c1f7b84c3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1_amd64.deb
      Size/MD5:   999446 e14ae572b7c245ac7218309b62998606

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8b-2ubuntu2.1_i386.udeb
      Size/MD5:   544572 0041f7ee93c548d4504e12d1090b46b4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b=
-2ubuntu2.1_i386.deb
      Size/MD5:  2063198 14e10f14147b3dc12c8811fc53592fc6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8b-2ubuntu2.1_i386.deb
      Size/MD5:  5488610 ff380444cf5a3518a98dcb264bb68c17
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
b-2ubuntu2.1_i386.deb
      Size/MD5:  2699364 0f23e3bbf255b1c333bc27c6133ad6dc
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1_i386.deb
      Size/MD5:   993544 6a229b5256bc4719116e31d8c9c6e067

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8b-2ubuntu2.1_powerpc.udeb
      Size/MD5:   586188 7d04f1a35812e10be8b5cf5e3ca64e42
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b=
-2ubuntu2.1_powerpc.deb
      Size/MD5:  2211960 adc548aee23416dc2c04b0ae0653fd58
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8b-2ubuntu2.1_powerpc.deb
      Size/MD5:  1704024 969005d56c1ce43c1e25b2155992cb06
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
b-2ubuntu2.1_powerpc.deb
      Size/MD5:   893346 144f7e53fd45ae765229ca09d90b0324
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1_powerpc.deb
      Size/MD5:   994320 7be85bbd6f1578b43883a932d27ff0d4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8b-2ubuntu2.1_sparc.udeb
      Size/MD5:   539786 a44f4d54cce712b2572a8c2d1a8892b0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b=
-2ubuntu2.1_sparc.deb
      Size/MD5:  2106146 18369000e29065950ab20c49f2549a68
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8b-2ubuntu2.1_sparc.deb
      Size/MD5:  4024194 6f18fdd6cf1baa4fc5df70dd911a5e5c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
b-2ubuntu2.1_sparc.deb
      Size/MD5:  2127048 7dfd58d7598348c49329ab9ca7779f1e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2u=
buntu2.1_sparc.deb
      Size/MD5:  1002710 4faf43217bd97ec20d9e6f5231f3b796

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1.diff.gz
      Size/MD5:    46065 1fe689e18314f75796223804cea5da8a
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1.dsc
      Size/MD5:      899 5f7c71575be2444fba320a4ea5347a94
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c.or=
ig.tar.gz
      Size/MD5:  3313857 78454bec556bcb4c45129428a766c886

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8c-4ubuntu0.1_amd64.udeb
      Size/MD5:   604410 83e090a4f4baad96cd699d641c906ed6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c=
-4ubuntu0.1_amd64.deb
      Size/MD5:  2186538 db9dfc2ec8dffea2f5e05bdf3e0c6f51
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8c-4ubuntu0.1_amd64.deb
      Size/MD5:  1644896 ed4ae60bc2e36d90cde8f6984d6025b3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
c-4ubuntu0.1_amd64.deb
      Size/MD5:   918056 805ff29173ca5647c6444fbf048dcf60
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1_amd64.deb
      Size/MD5:  1006294 9dcf97059a7eb886d4a868c4398e78cb

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8c-4ubuntu0.1_i386.udeb
      Size/MD5:   569612 cf9450e5dcf3a4f7fdba8c1a8a430323
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c=
-4ubuntu0.1_i386.deb
      Size/MD5:  2068216 421e07755a1c502e023e8b7ee1f60d19
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8c-4ubuntu0.1_i386.deb
      Size/MD5:  5499042 a1cbbc625498defe107e38775bde8aa0
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
c-4ubuntu0.1_i386.deb
      Size/MD5:  2809096 194214034d640049a38a210feded7271
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1_i386.deb
      Size/MD5:  1001124 68f2244ac28054ceb381db892b0a2aa8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8c-4ubuntu0.1_powerpc.udeb
      Size/MD5:   617042 f3649896a69d3aa8fe05f2d62179a6fa
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c=
-4ubuntu0.1_powerpc.deb
      Size/MD5:  2217064 bab2220243ab79b13c3f6178f72ca5b3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8c-4ubuntu0.1_powerpc.deb
      Size/MD5:  1704864 886ea205f259a781cd464344ca238438
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
c-4ubuntu0.1_powerpc.deb
      Size/MD5:   939056 aca2ce7f7970c967b54d5d09ee1bc0c2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1_powerpc.deb
      Size/MD5:  1014828 fa78b637a7b5ce72261442d7e9de8522

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-ud=
eb_0.9.8c-4ubuntu0.1_sparc.udeb
      Size/MD5:   562986 9e32a5b64da75b53c5651b0ab12413e8
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c=
-4ubuntu0.1_sparc.deb
      Size/MD5:  2111498 45b61e49ef4a3c8766acd4986170b60c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0=
=2E9.8c-4ubuntu0.1_sparc.deb
      Size/MD5:  4052930 6ad0e11956c1fdb699429abe604d3886
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8=
c-4ubuntu0.1_sparc.deb
      Size/MD5:  2205482 75db2b4f995c2f564612566b299a428d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4u=
buntu0.1_sparc.deb
      Size/MD5:  1016618 ec64c2da5c6b4bbec42d9099cc0ef0e6


--Thv7PGoFpDPJ7Oar
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG/as6H/9LqRcGPm0RAh0sAJ4hDmdzt/sv1z7Iz4R/FEFaIP9MmQCfcqPm
Jcqghb48aWG8YEOU801uFP0=
=Pn1Q
-----END PGP SIGNATURE-----

--Thv7PGoFpDPJ7Oar--


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру