MDKSA-2006:172-1

Nom du paquet

openssl

Date

2006-10-02

Advisory ID

MDKSA-2006:172-1

Affected versions

CS4.0 x86_64 , MNF2.0 i586 , 2006.0 i586 , 2007.0 x86_64 , 2007.0 i586 , CS3.0 x86_64 , CS4.0 i586 , CS3.0 i586 , 2006.0 x86_64

Problem description

Dr S N Henson of the OpenSSL core team and Open Network Security
recently developed an ASN1 test suite for NISCC (www.niscc.gov.uk).
When the test suite was run against OpenSSL two denial of service
vulnerabilities were discovered.

During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop which
consumes system memory. (CVE-2006-2937)

Certain types of public key can take disproportionate amounts of time
to process. This could be used by an attacker in a denial of service
attack. (CVE-2006-2940)

Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers utility function, used by
some applications such as exim and mysql. An attacker could send a
list of ciphers that would overrun a buffer. (CVE-2006-3738)

Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. (CVE-2006-4343)

Updated packages are patched to address these issues.

Update:

There was an error in the original published patches for CVE-2006-2940.
New packages have corrected this issue.

Updated packages

CS4.0 x86_64

 b5ae71aacd5b99be9e9327d58da29230  corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 89296e03778a198940c1c413e44b9f45  corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 cb17a0d801c1181ab380472b8ffb085e  corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.x86_64.rpm
 76b3078e53be2ddc019bee74ccb1f39e  corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm
 0aa4ca3b0d2925255650fb90132d7aad  corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 86dc91f1701293f3319a833746bbe421  corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 8d9a55afdc6d930916bac00fd4c4739b  corporate/4.0/x86_64/openssl-0.9.7g-2.5.20060mlcs4.x86_64.rpm 
 a8d2a946d266a94c6d46537ad78b18fa  corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm

MNF2.0 i586

 cd7ad7e95ce17995dfa8129ebe517049  mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.7.M20mdk.i586.rpm
 11771240baebdc6687af70a8a0f2ffd2  mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.M20mdk.i586.rpm
 8f672bc81b9528598a8560d876612bfa  mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.M20mdk.i586.rpm
 214f857a36e5c3e600671b7291cd08ae  mnf/2.0/i586/openssl-0.9.7c-3.7.M20mdk.i586.rpm 
 bbb299fd643ccbfbdc1a48b12c7005ce  mnf/2.0/SRPMS/openssl-0.9.7c-3.7.M20mdk.src.rpm

2006.0 i586

 5e48a8d9a6a03a045b6d0d2b6903dc5b  2006.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm
 f86f3a2efd19ff5fb1600212cbd8e463  2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm
 73b99c1a8a34fe3c2279c09c4f385804  2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm
 526fcd69e1a1768c82afd573dc16982f  2006.0/i586/openssl-0.9.7g-2.5.20060mdk.i586.rpm 
 441a806fc8a50f74f5b4bcfce1fc8f66  2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm

2007.0 x86_64

 1895971ef1221056075c4ee3d4aaac72  2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.2mdv2007.0.x86_64.rpm
 cfd59201e5e9c436f42b969b4aa567f1  2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm
 36da85c76eddf95feeb3f4b792528483  2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.x86_64.rpm
 db68f8f239604fb76a0a10c70104ef61  2007.0/x86_64/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm
 26a4de823aee08e40d28ed7e6ff5b2ff  2007.0/x86_64/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 ab949cf85296ceae864f83fbbac2b55a  2007.0/x86_64/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 e3aebeae455a0820c5f28483bd6d3fa5  2007.0/x86_64/openssl-0.9.8b-2.2mdv2007.0.x86_64.rpm 
 78964615b7bd71028671257640be3bc5  2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm

2007.0 i586

 db68f8f239604fb76a0a10c70104ef61  2007.0/i586/libopenssl0.9.8-0.9.8b-2.2mdv2007.0.i586.rpm
 26a4de823aee08e40d28ed7e6ff5b2ff  2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 ab949cf85296ceae864f83fbbac2b55a  2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.2mdv2007.0.i586.rpm
 a97c6033a33fabcd5509568304b7a988  2007.0/i586/openssl-0.9.8b-2.2mdv2007.0.i586.rpm 
 78964615b7bd71028671257640be3bc5  2007.0/SRPMS/openssl-0.9.8b-2.2mdv2007.0.src.rpm

CS3.0 x86_64

 52dfd4d10e00c9bd0944e4486190de93  corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.7.C30mdk.x86_64.rpm
 258a19afc44dadfaa00d0ebd8b3c0df4  corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.7.C30mdk.x86_64.rpm
 cd5cc151e476552be549c6a37b8a71ea  corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.x86_64.rpm
 7f60837e42b45ce50f365ec1372d6aeb  corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm
 492fcc0df9172557a3297d0082321d4d  corporate/3.0/x86_64/openssl-0.9.7c-3.7.C30mdk.x86_64.rpm 
 2c47b1604aa89033799b1ead4bcebe01  corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm

CS4.0 i586

 76b3078e53be2ddc019bee74ccb1f39e  corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.5.20060mlcs4.i586.rpm
 0aa4ca3b0d2925255650fb90132d7aad  corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 86dc91f1701293f3319a833746bbe421  corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mlcs4.i586.rpm
 daa6c3473f59405778dedd02de73fcc9  corporate/4.0/i586/openssl-0.9.7g-2.5.20060mlcs4.i586.rpm 
 a8d2a946d266a94c6d46537ad78b18fa  corporate/4.0/SRPMS/openssl-0.9.7g-2.5.20060mlcs4.src.rpm

CS3.0 i586

 7f60837e42b45ce50f365ec1372d6aeb  corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.7.C30mdk.i586.rpm
 1e7834f6f0fe000f8f00ff49ee6f7ea0  corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.7.C30mdk.i586.rpm
 6c86220445ef34c2dadadc3e00701885  corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.7.C30mdk.i586.rpm
 c25c4042a91b6e7bf9aae1aa2fea32a5  corporate/3.0/i586/openssl-0.9.7c-3.7.C30mdk.i586.rpm 
 2c47b1604aa89033799b1ead4bcebe01  corporate/3.0/SRPMS/openssl-0.9.7c-3.7.C30mdk.src.rpm

2006.0 x86_64

 54ed69fc4976d3c0953eeebd3c10471a  2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.5.20060mdk.x86_64.rpm
 632fbe5eaff684ec2f27da4bbe93c4f6  2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.5.20060mdk.x86_64.rpm
 04dbe52bda3051101db73fabe687bd7e  2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.x86_64.rpm
 5e48a8d9a6a03a045b6d0d2b6903dc5b  2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.5.20060mdk.i586.rpm
 f86f3a2efd19ff5fb1600212cbd8e463  2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.5.20060mdk.i586.rpm
 73b99c1a8a34fe3c2279c09c4f385804  2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.5.20060mdk.i586.rpm
 ca169246cc85db55839b265b90e8c842  2006.0/x86_64/openssl-0.9.7g-2.5.20060mdk.x86_64.rpm 
 441a806fc8a50f74f5b4bcfce1fc8f66  2006.0/SRPMS/openssl-0.9.7g-2.5.20060mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343