DSA 1185-1: New openssl packages fix denial of service
Posted on: 09/28/2006 08:35 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1185-1 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
September 28th, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : openssl
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 CVE-2006-2937

Multiple vulnerabilities have been discovered in the OpenSSL
cryptographic software package that could allow an attacker to launch
a denial of service attack by exhausting system resources or crashing
processes on a victim's computer.

CVE-2006-2937
Dr S N Henson of the OpenSSL core team and Open Network
Security recently developed an ASN1 test suite for NISCC
(www.niscc.gov.uk). When the test suite was run against
OpenSSL two denial of service vulnerabilities were discovered.

During the parsing of certain invalid ASN1 structures an error
condition is mishandled. This can result in an infinite loop
which consumes system memory.

Any code which uses OpenSSL to parse ASN1 data from untrusted
sources is affected. This includes SSL servers which enable
client authentication and S/MIME applications.

CVE-2006-3738
Tavis Ormandy and Will Drewry of the Google Security Team
discovered a buffer overflow in SSL_get_shared_ciphers utility
function, used by some applications such as exim and mysql. An
attacker could send a list of ciphers that would overrun a
buffer.

CVE-2006-4343
Tavis Ormandy and Will Drewry of the Google Security Team
discovered a possible DoS in the sslv2 client code. Where a
client application uses OpenSSL to make a SSLv2 connection to
a malicious server that server could cause the client to
crash.

CVE-2006-2940
Dr S N Henson of the OpenSSL core team and Open Network
Security recently developed an ASN1 test suite for NISCC
(www.niscc.gov.uk). When the test suite was run against
OpenSSL a DoS was discovered.

Certain types of public key can take disproportionate amounts
of time to process. This could be used by an attacker in a
denial of service attack.

For the stable distribution (sarge) these problems have been fixed in
version 0.9.7e-3sarge3.

For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-2 of the
openssl097 compatibility libraries, and version 0.9.8c-2 of the
openssl package.

We recommend that you upgrade your openssl package. Note that
services linking against the openssl shared libraries will need to be
restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc
Size/MD5 checksum: 639 fbf460591348b14103a3819d23164aee
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz
Size/MD5 checksum: 29882 25e5c57ee6c86d1e4cc335937040f251
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 3341810 73ef8e1cafbfd142a903bd93535a2428
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 2448006 b42d228cd1cb48024b25f5bd7c6724b8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 930188 b0b9a46a47a1992ed455f993b6007450

AMD64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 2693668 7a6d9f9ad43192bcfe9ed22bd4c227cb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 703308 239e07d0029b78d339da49ea8dacb554
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 903744 de3413bf58707040d19a606311548ec7

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 2556374 4f3d5a82ab27e46f6174616dd2f0818c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 690118 80812ffefacc7d9800ce5286909aa815
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 894114 053579483c0d83c11a4b15ade5e09d3b

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 2695876 bee86edc3db3ac76a32efb84b1a1cfab
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 791316 5dfd66672700232356a26258a76bcffa
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 914574 bc996d3cd86b18090ee4c2f3f31dbdbc

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 2553694 ceea98c69ca44649ee2c98cff0364e4b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 2264996 111668559caa8ea95ad3100af67e163e
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 902750 39b743a6a47517245c3fba9289c86ddf

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 3396192 54868b4f5c27f5dc0a65b82594aa8bb0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 1038386 7fcec764f3b3d3ee53588791f7588ad9
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 975118 18239f1932f399df0396e81a1e57e5e3

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 2317346 cf221d4a25c8913c1183078f1974b46b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 661672 1a1e72d032cbd37400a65ef7ddf9af6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 889874 6eaaf9b7b9651b37437b78d7a95a562a

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 2779474 383cc3f4bd2c75515e415c48fc6c66eb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 706660 aaa773471c553fd971b3158e35ceb675
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 896780 21c648b8e817ce098d9d85f311163e34

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 2767338 bc2e40477ad28b1eedb69e6542b1ab08
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 694486 8c31bcea415ae3d725844e45a733d7fe
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 895860 8af869dc9a903f8a226d33cdcffc7eab

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 2775400 91f923d2f4f3938ef8a786b291865f0a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 779452 3b094894ca6d75b7c86684c7cd62f5bf
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 908316 b93dffc572d91d9e4154b73c57b41e88

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 2717840 a96fb19009ddc10b1901f34e232109ae
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 813968 1cf6dbddb023dfe8c55d30d19bc0ff57
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 918504 73d2f71ec2c8ebd4cc3f481096202664

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 2630560 059abd03c994e3d6851f38f6f7dd5446
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 1886038 4900a7af6cbef9e37c902a3c14ac33ac
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 924472 27f194ff2250fc91d0375c02d6686272


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFHAXWXm3vHE4uyloRAmD7AJwLeogeu4DFdgEIeZzGqXEBRgAxQACghF1a
hJUT6eN7UmS2FtFj6HinBt8=
=gOnv
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1185_1_new_openssl_packages_fix_denial_of_service.html)