|
|
| Problem Description |
Yutaka Oiwa discovered vulnerability potentially affects applications
that use the SSL/TLS server implementation provided by OpenSSL.
Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in third-
party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in
the SSL 2.0 server supposed to prevent active protocol-version rollback
attacks. With this verification step disabled, an attacker acting as
a "man in the middle" can force a client and a server to negotiate the
SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0.
The SSL 2.0 protocol is known to have severe cryptographic weaknesses
and is supported as a fallback only. (CAN-2005-2969)
The current default algorithm for creating "message digests"
(electronic signatures) for certificates created by openssl is MD5.
However, this algorithm is not deemed secure any more, and some
practical attacks have been demonstrated which could allow an attacker
to forge certificates with a valid certification authority signature
even if he does not know the secret CA signing key.
To address this issue, openssl has been changed to use SHA-1 by
default. This is a more appropriate default algorithm for the majority
of use cases. If you still want to use MD5 as default, you can revert
this change by changing the two instances of "default_md = sha1" to
"default_md = md5" in /usr/{lib,lib64}/ssl/openssl.cnf. (CAN-2005-2946)
| Updated Packages |
Mandrakelinux 10.1
2fa715275a4a918b15eb02e402b755bc 10.1/RPMS/libopenssl0.9.7-0.9.7d-1.3.101mdk.i586.rpm 1912f9be0eccc4b2903616ac2c0d5103 10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.3.101mdk.i586.rpm 4d51641d38b5e0e8c6be5fcc211ffa3b 10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.3.101mdk.i586.rpm 6e40220d7461ad8e711aa2ee5a772b1f 10.1/RPMS/openssl-0.9.7d-1.3.101mdk.i586.rpm abb721aa2ccf15e555c4f84981366022 10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Mandrakelinux 10.1/X86_64
5b820a306004c31fcac518aec78bfea3 x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.3.101mdk.x86_64.rpm 4b506c7086fd330fde0fe724a5bd865c x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.3.101mdk.x86_64.rpm 9fb820e394e6da5db74a60d7062a6c23 x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.3.101mdk.x86_64.rpm f113ec9a24627d354eaa37db78784d31 x86_64/10.1/RPMS/openssl-0.9.7d-1.3.101mdk.x86_64.rpm abb721aa2ccf15e555c4f84981366022 x86_64/10.1/SRPMS/openssl-0.9.7d-1.3.101mdk.src.rpm
Corporate Server 2.1
7ce23e8906c2001f93afdbdb544a5659 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.i586.rpm 26e569e8dd0598bd5f55d1a954989e7b corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.i586.rpm c54a45b3cf589095382c1399f0435353 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.i586.rpm bc5ff8f4e044678c40b5bae08b263216 corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.i586.rpm 6fa6d2e82bffdf044663ccd40b14bba3 corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate Server 2.1/X86_64
4b85f119fb4908f785ee5e4cd6f81312 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.10.C21mdk.x86_64.rpm d366f2f72a511fbb4887de0d17303339 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.10.C21mdk.x86_64.rpm b3a4d7295c802dc5a486022bffe8f8aa x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.10.C21mdk.x86_64.rpm cd0e605ae88e746d8124f550ff26c723 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.10.C21mdk.x86_64.rpm 6fa6d2e82bffdf044663ccd40b14bba3 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.10.C21mdk.src.rpm
Corporate Server 3.0
e77b2aeadf368cac390fda472f96f76d corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.C30mdk.i586.rpm e3e077097643c9247b0e866c0ea08c9d corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.3.C30mdk.i586.rpm eb61ee6a8464a43e951102fa5a9df4b0 corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.i586.rpm fa6ce3b5dc685d567040061676d047ba corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.i586.rpm 502e04472212778c866211c6179f4127 corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
Corporate Server 3.0/X86_64
bdc1b94ef64f4c0c02948d8ec08184b1 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.3.C30mdk.x86_64.rpm f2b65309719e499eb1a9d9f857c51921 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.3.C30mdk.x86_64.rpm 48e9d2cd78e4a44a4bd61542a47f2d5b x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.3.C30mdk.x86_64.rpm 3aef366b6921b180f304ae1a8c10ba78 x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.3.C30mdk.x86_64.rpm 502e04472212778c866211c6179f4127 x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.3.C30mdk.src.rpm
Multi Network Firewall 2.0
60451a13eb787c55a9463322b6bdb419 mnf/2.0/RPMS/libopenssl0.9.7-0.9.7c-3.3.M20mdk.i586.rpm 3a5dae5ff129437461180df9a8dd5b0b mnf/2.0/RPMS/openssl-0.9.7c-3.3.M20mdk.i586.rpm c89dcc035040ed512ab2823b978b5205 mnf/2.0/SRPMS/openssl-0.9.7c-3.3.M20mdk.src.rpm
Mandriva Linux LE2005
7448f1bd46305af8ca09c794828bc14d 10.2/RPMS/libopenssl0.9.7-0.9.7e-5.2.102mdk.i586.rpm dd17f238c7c4eeb93f330794d28fef20 10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.2.102mdk.i586.rpm 4d6b82c86b3b7430273e9f7804b448f3 10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.2.102mdk.i586.rpm ec6b0d749ed3f7c8b2ee48cea5c104f5 10.2/RPMS/openssl-0.9.7e-5.2.102mdk.i586.rpm 14554b0fff0abfe1da54b8f9c68c8a75 10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandriva Linux LE2005/X86_64
a34fa268399bce8d59b185df255f1d19 x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.2.102mdk.x86_64.rpm 3f403f1c36d53bb35174c04badbea2d9 x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.2.102mdk.x86_64.rpm 68d2a4a298fd37719343c4ade853e22d x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.2.102mdk.x86_64.rpm 8b53d1949aa30ca813f27c5dd3bb1062 x86_64/10.2/RPMS/openssl-0.9.7e-5.2.102mdk.x86_64.rpm 14554b0fff0abfe1da54b8f9c68c8a75 x86_64/10.2/SRPMS/openssl-0.9.7e-5.2.102mdk.src.rpm
Mandriva Linux 2006
bc7f3ba61af3334757c65e1682eb0065 2006.0/RPMS/libopenssl0.9.7-0.9.7g-2.1.20060mdk.i586.rpm a15b20362dd7437ff974642af0756d79 2006.0/RPMS/libopenssl0.9.7-devel-0.9.7g-2.1.20060mdk.i586.rpm 65bab77540badadc2152d7803d13c63f 2006.0/RPMS/libopenssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.i586.rpm d06fa459cf871d890bf3a4ff22b85cd7 2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.i586.rpm fc0ed1a9eab0dfdb3f35c3cdb46004e8 2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
Mandriva Linux 2006/X86_64
3b54d300cf1b6889d764e36660d3542d x86_64/2006.0/RPMS/lib64openssl0.9.7-0.9.7g-2.1.20060mdk.x86_64.rpm aa8e520156a9d878ed43179dfcc5210f x86_64/2006.0/RPMS/lib64openssl0.9.7-devel-0.9.7g-2.1.20060mdk.x86_64.rpm 8bece33914331ad81e9e88dfef1b4319 x86_64/2006.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7g-2.1.20060mdk.x86_64.rpm 4a654cfa16e31f450493e59de0cb372c x86_64/2006.0/RPMS/openssl-0.9.7g-2.1.20060mdk.x86_64.rpm fc0ed1a9eab0dfdb3f35c3cdb46004e8 x86_64/2006.0/SRPMS/openssl-0.9.7g-2.1.20060mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2946
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.