Mandriva

Package name openssl
Date March 17th, 2004
Advisory ID MDKSA-2004:023
Affected versions 9.0, 9.1, 9.2, MNF8.2, CS2.1

Problem Description

A vulnerability was discovered by the OpenSSL group using the
Codenomicon TLS Test Tool. The test uncovered a null-pointer
assignment in the do_change_cipher_spec() function whih could be
abused by a remote attacker crafting a special SSL/TLS handshake
against a server that used the OpenSSL library in such a way as to
cause OpenSSL to crash. Depending on the application in question,
this could lead to a Denial of Service (DoS). This vulnerability
affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c).
CVE has assigned CAN-2004-0079 to this issue.

Another vulnerability was discovered by Stephen Henson in OpenSSL
versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking
code when using Kerberos ciphersuites. A remote attacker could
perform a carefully crafted SSL/TLS handshake against a server
configured to use Kerberos ciphersuites in such a way as to cause
OpenSSL to crash. CVE has assigned CAN-2004-0112 to this issue.

Mandrakesoft urges users to upgrade to the packages provided that have
been patched to protect against these problems. We would also like to
thank NISCC for their assistance in coordinating the disclosure of
these problems.

Please note that you will need to restart any SSL-enabled services for
the patch to be effective, including (but not limited to) Apache,
OpenLDAP, etc.

Updated Packages

Mandrakelinux 9.0

 f240a851cd1e2350485c01937c03954a  9.0/RPMS/libopenssl0-0.9.6i-1.7.90mdk.i586.rpm
44163de2b87935272550f1ee76df3bea  9.0/RPMS/libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm
8692dc3bc8235e0ee0279c197fd7f2ee  9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm
fb67c8105ee757e0be521758cef6c3ad  9.0/RPMS/openssl-0.9.6i-1.7.90mdk.i586.rpm
2c5edca752c1bded660e811e4a14924c  9.0/SRPMS/openssl-0.9.6i-1.7.90mdk.src.rpm

Mandrakelinux 9.1

 675ca1ba5d7fbf2246a47ddb2c3b9b51  9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.i586.rpm
4f916449cf69b4246b6d31313082b836  9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm
e96d97d6abc80a2b876fa412a94513ee  9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm
6f51829b630e60f1296571f06fdf31ad  9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm
cf731928a2a17b67ecc3a1592300842d  9.1/RPMS/openssl-0.9.7a-1.3.91mdk.i586.rpm
7034cb0be4e172d30fe2d68a6bec27b3  9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24  9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

Mandrakelinux 9.1/PPC

 6a083899b5c52877e9bed2e21b030918  ppc/9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.ppc.rpm
0e3eee09e1f2ceb59422f4ff0ce4a073  ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.ppc.rpm
71a44d67de3c656025f9d9df93e690df  ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.ppc.rpm
bfba9442501c5c618f1f3953728de8fe  ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.ppc.rpm
fd0cae85733542b6e5edc422c6e85272  ppc/9.1/RPMS/openssl-0.9.7a-1.3.91mdk.ppc.rpm
7034cb0be4e172d30fe2d68a6bec27b3  ppc/9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24  ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm

Mandrakelinux 9.2

 ca7d2493b21406d07d8c4c95e8768c47  9.2/RPMS/libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm
b0f4e7317a0ffa549394590bb3814216  9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm
cf3c227a00a1f738915768a860fabf24  9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm
34b175885ae59b3a089b11a02039d88a  9.2/RPMS/openssl-0.9.7b-4.2.92mdk.i586.rpm
006292d74c144ace0a288ab444493788  9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64

 34246401bd6d2b211ea366d0673b2ce6  amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-4.2.92mdk.amd64.rpm
87b4e7fbeaf3640f94d67e1bd6bfc593  amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk.amd64.rpm
a3c9c929398a68ce06cce5fd537f4387  amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk.amd64.rpm
85155f93b8c769759b901b44f71974dd  amd64/9.2/RPMS/openssl-0.9.7b-4.2.92mdk.amd64.rpm
006292d74c144ace0a288ab444493788  amd64/9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm

Multi Network Firewall 8.2

 99eb1a2e1e97c207d39f5882c4acafe5  mnf8.2/RPMS/libopenssl0-0.9.6i-1.6.M82mdk.i586.rpm
e9564e5b55b8fdf4b8e8af1b1c0c56a2  mnf8.2/RPMS/openssl-0.9.6i-1.6.M82mdk.i586.rpm
1ae8ea6a7254b5abe1cbc0a6bca66997  mnf8.2/SRPMS/openssl-0.9.6i-1.6.M82mdk.src.rpm

Corporate Server 2.1

 aa5e93c4668cd1f4ef8091c260e6c274  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.i586.rpm
d1923437255ae0b50c5e1e8d40e3c0ee  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.i586.rpm
5e3ffcaa0291845b69c555f0961e610a  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.i586.rpm
ceefc8ac27966d4f7311f2fcff37b6c8  corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.i586.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1  corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

Corporate Server 2.1/X86_64

 d1f2609c2fd600a73504a92c6b96ad0b  x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.x86_64.rpm
dec9c21de8362901562041c8a960a249  x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
951e43064657332318113f20c77cadf1  x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
47a86a2f8219baa9504f01e1cf6de640  x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.x86_64.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1  x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

		rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.