MDVSA-2009:237

Package name

openssl

Date

2009-09-21

Advisory ID

MDVSA-2009:237

Affected versions

CS3.0 i586 , CS4.0 x86_64 , MNF2.0 i586 , CS3.0 x86_64 , CS4.0 i586

Problem description

Multiple vulnerabilities was discovered and corrected in openssl:

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to
cause a denial of service (NULL pointer dereference and daemon crash)
via a DTLS ChangeCipherSpec packet that occurs before ClientHello
(CVE-2009-1386).

The NSS library library before 3.12.3, as used in Firefox; GnuTLS
before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other
products support MD2 with X.509 certificates, which might allow
remote attackers to spooof certificates by using MD2 design flaws
to generate a hash collision in less than brute-force time. NOTE:
the scope of this issue is currently limited because the amount of
computation required is still large (CVE-2009-2409).

This update provides a solution to these vulnerabilities.

Updated packages

CS3.0 i586

 52c4eef7e013ff51da821c9739f8455c  corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
 ee8c84605e6073baa7ba8f7a2583688f  corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
 c4644081608a0322998acaff8aeb7855  corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
 613010dc703d61de93bfad8ccc91cc67  corporate/3.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm 
 141b07323226c91355ccb28f0ad93f97  corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm

CS4.0 x86_64

 271634c0d8e82fe4a3302c04dc7d6e87  corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.10.20060mlcs4.x86_64.rpm
 72f2b3717cd75ab119323252e3b89e5b  corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
 2fb0977d4a4fce2466c05cabf64f56a6  corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
 1a10542aec4bc4bfa97064c081d89f06  corporate/4.0/x86_64/openssl-0.9.7g-2.10.20060mlcs4.x86_64.rpm 
 4953a1c50fcbebc06d4ef46832155029  corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm

MNF2.0 i586

 52c4eef7e013ff51da821c9739f8455c  mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
 ee8c84605e6073baa7ba8f7a2583688f  mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
 c4644081608a0322998acaff8aeb7855  mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
 613010dc703d61de93bfad8ccc91cc67  mnf/2.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm 
 141b07323226c91355ccb28f0ad93f97  mnf/2.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm

CS3.0 x86_64

 37a8fb11191834bd7e45ec4ccb3cdeb8  corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.11.C30mdk.x86_64.rpm
 9fd74f7123edae69f4bb674d35b96ef8  corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
 247b548bbbc772c69a3c1cc54e350d90  corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
 779e9ac5fffaf96141be8ea77f963e83  corporate/3.0/x86_64/openssl-0.9.7c-3.11.C30mdk.x86_64.rpm 
 141b07323226c91355ccb28f0ad93f97  corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm

CS4.0 i586

 92833c7613875f935a0ac42c1ee22328  corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.10.20060mlcs4.i586.rpm
 6ca9508b8769fe3e0f7e25a9aa73d82d  corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
 ec80b2ccb7231f71fcf81cc200985d88  corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
 efa7973f515618a3bc77f1ee8969a982  corporate/4.0/i586/openssl-0.9.7g-2.10.20060mlcs4.i586.rpm 
 4953a1c50fcbebc06d4ef46832155029  corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386