DSA 1185-2: New openssl packages fix arbitrary code execution
Posted on: 10/02/2006 08:40 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1185-2 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
October 2nd, 2006 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : openssl
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-2940

The fix used to correct CVE-2006-2940 introduced code that could lead to
the use of uninitialized memory. Such use is likely to cause the
application using the openssl library to crash, and has the potential to
allow an attacker to cause the execution of arbitrary code.

For the stable distribution (sarge) these problems have been fixed in
version 0.9.7e-3sarge4.

For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-3 of the
openssl097 compatibility libraries, and version 0.9.8c-3 of the
openssl package.

We recommend that you upgrade your openssl package. Note that
services linking against the openssl shared libraries will need to be
restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.


Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc
Size/MD5 checksum: 639 179f34093d860afff66964b5f1c99ee3
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz
Size/MD5 checksum: 29707 0b4d462730327aba5a751bd4bec71c10
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb
Size/MD5 checksum: 3341886 f0d0ef51fac89227b0d0705116439f5c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb
Size/MD5 checksum: 2448092 8065c52c7649f36221f8a48adfb4cb29
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb
Size/MD5 checksum: 930234 5953c4c4a45352d41c3c414eda63ff00

AMD64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb
Size/MD5 checksum: 2693980 cbd25bbed17ec73561337bfc3d8ed2ed
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb
Size/MD5 checksum: 769904 2671cdf2f48013617ea509daac2bb4dc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb
Size/MD5 checksum: 903782 e370684d7c84d1eebcb69cdda35c6c6c

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb
Size/MD5 checksum: 2556330 75c1a253ddad0b7ad87053552770e5c4
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb
Size/MD5 checksum: 690202 ccd435ca2c183940152f3bd70d84ee0b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb
Size/MD5 checksum: 894144 2e5caaa90184d9ee9e607d18728e6f93

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb
Size/MD5 checksum: 2695990 58fe1a247ef47faa559eef610b437db6
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb
Size/MD5 checksum: 791382 f0c64d06307af937218944d6d8db6e2f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb
Size/MD5 checksum: 914576 631c681a3c4ce355962a7c684767a155

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb
Size/MD5 checksum: 2554956 c4c9aa14e74dbd6dac2cadd7cf48b522
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb
Size/MD5 checksum: 2265180 9047b6c6036c048ad75fa397f220ae39
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb
Size/MD5 checksum: 906268 070d1d1680f90da5509121c44de7a254

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb
Size/MD5 checksum: 3396206 3a3d88238a48d33b39e7575a97c6cfdf
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb
Size/MD5 checksum: 1038432 e2e4e1d388c5d45c8d30e16d661ad24c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb
Size/MD5 checksum: 975152 1783b49f3b7a12bd18dff0fcc37f5d68

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb
Size/MD5 checksum: 2317348 b4930b1cf5e642bf509d44dd83de193f
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb
Size/MD5 checksum: 661716 d5fb4eb5947c8765e268696e94a46a8b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb
Size/MD5 checksum: 889932 e1ecef3780edd38743246dfda1424e8c

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb
Size/MD5 checksum: 2779464 591dbe4f6d73d56c9e9ff72f2d0a5385
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb
Size/MD5 checksum: 706682 0b3de7eef13969d065ed057fda34afc2
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb
Size/MD5 checksum: 896834 e2b8f38056a06f63c3ce6c10d9d95dba

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb
Size/MD5 checksum: 2767364 883d0167f6642e90e8a183b4f87a78ba
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb
Size/MD5 checksum: 694532 f4961231ef2c2b8ff46f173338a7fa36
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb
Size/MD5 checksum: 895922 2ad35f3927ba71d8054fe8cd4316f5b0

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb
Size/MD5 checksum: 2775608 0dca0ec9cf2d230ce68394849be748b1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb
Size/MD5 checksum: 779456 6736cdc1dfe5f19013f4dee0a2b3b1cf
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb
Size/MD5 checksum: 908418 8759696eff63836597e4247c06ba7b22

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb
Size/MD5 checksum: 2717788 12fb63ace68a2698c19c725530ab18d9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb
Size/MD5 checksum: 814012 adcee88124369de1daeae0545e0517a0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb
Size/MD5 checksum: 918524 b93704f4ce84489d4ee163098a783962

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb
Size/MD5 checksum: 2630606 a20a47b2f291810a09fd04a4c130ddb0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb
Size/MD5 checksum: 1886152 8521da994bf2a6df3bdc457fb3e0683b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb
Size/MD5 checksum: 924556 ff8cee5f5a9653a9dd917b4ec51166ee


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFIWjaXm3vHE4uyloRAlCnAKDJS/TqmvEdkWKPzE3d5MmsC+VAXgCg3Kw+
43qPyLtg10UxpWWh0fHpOnA=
=Xbwi
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1185_2_new_openssl_packages_fix_arbitrary_code_execution.html)