[SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
From: Noah Meyerhans <noahm@debian.org.>
Date: Wed, 10 Oct 2007 19:59:21 +0200
Subject: [SECURITY] [DSA 1379-2] New openssl packages fix arbitrary code execution
Priority: urgent
Resent-Message-ID: <awNg0.A.ChF.DMRDHB@murphy.>
Reply-To: [email protected]
Mail-Followup-To: [email protected]
To: [email protected]
Resent-Date: Wed, 10 Oct 2007 17:59:31 +0000 (UTC)
Resent-From: [email protected] (Mailing List Manager)
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1379-2 [email protected]
http://www.debian.org/security/ Noah Meyerhans
October 10, 2007
- ------------------------------------------------------------------------
Package : openssl097, openssl096
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435
An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in OpenSSL, an implementation of Secure Socket Layer
cryptographic libraries and utilities. This error could allow an
attacker to crash an application making use of OpenSSL's libssl library,
or potentially execute arbitrary code in the security context of the
user running such an application.
This update to DSA 1379 announces the availability of the libssl0.9.6
and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch
(stable), respectively.
We recommend that you upgrade your openssl097 and openssl096 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 3.1 (oldstable)
- ----------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.dsc
Size/MD5 checksum: 617 d5c107efd03887064c12ca3f3785eb22
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz
Size/MD5 checksum: 2184918 1b63bfdca1c37837dddde9f1623498f9
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.diff.gz
Size/MD5 checksum: 21639 3a9b336e6f7e1ecdb12b925928bf9061
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_alpha.deb
Size/MD5 checksum: 1966700 cb66c5de2c58624ce1a066d9f6db108b
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_amd64.deb
Size/MD5 checksum: 578788 acbc334b7cbf3b154c5bd5516160043d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_arm.deb
Size/MD5 checksum: 519050 1f32d009ee447998eb0b7b5d977ec269
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_hppa.deb
Size/MD5 checksum: 588092 0640e3135183515b1d5739cc35471501
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_i386.deb
Size/MD5 checksum: 1758424 afcd7f2f3b9ceb67eda7a1b6008af9d1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_ia64.deb
Size/MD5 checksum: 815824 e1e0e0e29d2fadaa9126a0f40ef0f7ac
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_mips.deb
Size/MD5 checksum: 577428 9b2b390a8841638216d14dfb59244486
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_powerpc.deb
Size/MD5 checksum: 583112 6b926d1b39bc0a83e4f098b873b3f111
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_s390.deb
Size/MD5 checksum: 603014 698f599a8765889800a62e088674fcf7
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_sparc.deb
Size/MD5 checksum: 1460366 0e4d599821004ace0bf499fd688a22f1
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.dsc
Size/MD5 checksum: 769 b7a4e535383394c3be009e3a1df09bdd
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.diff.gz
Size/MD5 checksum: 33285 dc2f489812286cecb705f5b77d523a1e
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_alpha.deb
Size/MD5 checksum: 3822210 91e845e9663d5e5fd0606254484fce29
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_alpha.deb
Size/MD5 checksum: 2210464 5d4c3807d8d5d67cf99882f061bca0d8
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_amd64.deb
Size/MD5 checksum: 1325984 321bfb5960f3d0f8bd80792e7c7c5f05
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_amd64.deb
Size/MD5 checksum: 755416 e80a880d70bd4f5be5653559e664413a
arm architecture (ARM)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_arm.deb
Size/MD5 checksum: 1229966 70eef9e08baa248416efbd49bc064df9
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_arm.deb
Size/MD5 checksum: 672290 f30616f8250e48b794e75fbb098b8fe8
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_hppa.deb
Size/MD5 checksum: 1273442 e8518a1f26ff7ea13b04d16c760de661
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_hppa.deb
Size/MD5 checksum: 793182 9b009b750c25c3bbfb3138bfb920702d
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_i386.deb
Size/MD5 checksum: 2284392 cded472858b38935b95aa798e72e0555
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_i386.deb
Size/MD5 checksum: 4642676 4f181f50322b488f9eed50fc167d0712
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_ia64.deb
Size/MD5 checksum: 1263422 b710a9e027214c21fd29f58e6cd45bc1
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_ia64.deb
Size/MD5 checksum: 1009882 18617eeb4e2056de2b0d18fe2045bbce
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mips.deb
Size/MD5 checksum: 1352460 e31e5b9e481800bfb194c3693e39e876
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mips.deb
Size/MD5 checksum: 729966 52952a3b76cfdca4ede580eaa1120a48
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mipsel.deb
Size/MD5 checksum: 718836 9cbc00898d56a3e7db3839b0eb6a087b
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mipsel.deb
Size/MD5 checksum: 1316952 f19c960283886c8c1b94d1fa2d385ca5
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_powerpc.deb
Size/MD5 checksum: 743238 792e64a2ada756b4e586eea50e2e3c3c
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_powerpc.deb
Size/MD5 checksum: 1382044 31704c8cdf8be905ebc35be75f885fc5
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_s390.deb
Size/MD5 checksum: 794166 d34483e35b01102e03c9d0dedb37f32e
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_s390.deb
Size/MD5 checksum: 1317042 7e1ab24baa1cf7c686d3b78aea6bb386
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_sparc.deb
Size/MD5 checksum: 1798892 afc22b79114ee90c8ee388e45115c6c6
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_sparc.deb
Size/MD5 checksum: 3416966 9f1463223729527bd231690d40821e10
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHDRJ9YrVLjBFATsMRAtBgAJ9KN8v5gupjCqdsrKRNhg9fxIcP9gCfQ+O3
YjNEPdqHPfLFPe4UFq/+Y8s=
=Wnfa
-----END PGP SIGNATURE-----