MDVSA-2011:137

Package name

openssl

Date

2011-09-28

Advisory ID

MDVSA-2011:137

Affected versions

2011 i586 , 2011 x86_64 , 2010.1 i586 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been discovered and corrected in openssl:

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
is used for the ECDHE_ECDSA cipher suite, does not properly implement
curves over binary fields, which makes it easier for context-dependent
attackers to determine private keys via a timing attack and a lattice
calculation (CVE-2011-1945).

crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not
initialize certain structure members, which makes it easier for
remote attackers to bypass CRL validation by using a nextUpdate value
corresponding to a time in the past (CVE-2011-3207).

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during
processing of handshake messages, which allows remote attackers
to cause a denial of service (application crash) via out-of-order
messages that violate the TLS protocol (CVE-2011-3210).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.

Updated packages

2011 i586

 5fd58662d6a52ac88efe81f989fc9ede  2011/i586/libopenssl1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 aa9043268df01b6785c988947731908b  2011/i586/libopenssl-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 3b749c8a41b714e84bd7732cd6ee5089  2011/i586/libopenssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
 77d9dbad979416dd1b4af54b463c9858  2011/i586/libopenssl-static-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
 fb567a8bafc6b42337c85a0f33ff33cb  2011/i586/openssl-1.0.0d-2.1-mdv2011.0.i586.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm

2011 x86_64

 93891e6f060d2079ea9a4a949fe40a25  2011/x86_64/lib64openssl1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 02a059bdb85b00ebcf029ed62142b5f6  2011/x86_64/lib64openssl-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 136b35ff7bff01b4791b7b366cff6c88  2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 1aaf1d105b86c1be2a367d4189c12c3b  2011/x86_64/lib64openssl-static-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
 766878bba443c3d2163451d383591e79  2011/x86_64/openssl-1.0.0d-2.1-mdv2011.0.x86_64.rpm 
 175e8639972a6d4fd2a632ef77a879b2  2011/SRPMS/openssl-1.0.0d-2.1.src.rpm

2010.1 i586

 bd60d1b484309734bc8071f8d56c78d4  2010.1/i586/libopenssl1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 db2a2d676ab59df2a7077f0888cbc7f5  2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 bbf3789a5da46dc0dde527352f15bb2d  2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.i586.rpm
 9a757b9d019b952696fbbf1bdb80571e  2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
 2527313d11471e17bac3309941f7aaf8  2010.1/i586/openssl-1.0.0a-1.8mdv2010.2.i586.rpm 
 e9dbe57d404042917b3ed2bf233f2e41  2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

2010.1 x86_64

 6c11f02b7a582a4ff2129f3f4183ffdd  2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 16eb55a62466f8c8bb7b642011dea54a  2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 080662986ef9f21128c2c4bca3d9e0aa  2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
 b58cfdb41d740a2176ea2f9d2a33cae5  2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
 6a8f48aea469d9183725bd22acfab8cc  2010.1/x86_64/openssl-1.0.0a-1.8mdv2010.2.x86_64.rpm 
 e9dbe57d404042917b3ed2bf233f2e41  2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945