DSA 1379-2: New openssl packages fix arbitrary code execution
Posted on: 10/10/2007 07:05 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1379-2 security@debian.org
http://www.debian.org/security/ Noah Meyerhans
October 10, 2007
- ------------------------------------------------------------------------

Package : openssl097, openssl096
Vulnerability : off-by-one error/buffer overflow
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-5135
Debian Bug : 444435

An off-by-one error has been identified in the SSL_get_shared_ciphers()
routine in OpenSSL, an implementation of Secure Socket Layer
cryptographic libraries and utilities. This error could allow an
attacker to crash an application making use of OpenSSL's libssl library,
or potentially execute arbitrary code in the security context of the
user running such an application.

This update to DSA 1379 announces the availability of the libssl0.9.6
and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch
(stable), respectively.

We recommend that you upgrade your openssl097 and openssl096 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (oldstable)
- ----------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.dsc
Size/MD5 checksum: 617 d5c107efd03887064c12ca3f3785eb22
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz
Size/MD5 checksum: 2184918 1b63bfdca1c37837dddde9f1623498f9
http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.diff.gz
Size/MD5 checksum: 21639 3a9b336e6f7e1ecdb12b925928bf9061

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_alpha.deb
Size/MD5 checksum: 1966700 cb66c5de2c58624ce1a066d9f6db108b

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_amd64.deb
Size/MD5 checksum: 578788 acbc334b7cbf3b154c5bd5516160043d

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_arm.deb
Size/MD5 checksum: 519050 1f32d009ee447998eb0b7b5d977ec269

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_hppa.deb
Size/MD5 checksum: 588092 0640e3135183515b1d5739cc35471501

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_i386.deb
Size/MD5 checksum: 1758424 afcd7f2f3b9ceb67eda7a1b6008af9d1

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_ia64.deb
Size/MD5 checksum: 815824 e1e0e0e29d2fadaa9126a0f40ef0f7ac

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_mips.deb
Size/MD5 checksum: 577428 9b2b390a8841638216d14dfb59244486

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_powerpc.deb
Size/MD5 checksum: 583112 6b926d1b39bc0a83e4f098b873b3f111

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_s390.deb
Size/MD5 checksum: 603014 698f599a8765889800a62e088674fcf7

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_sparc.deb
Size/MD5 checksum: 1460366 0e4d599821004ace0bf499fd688a22f1

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.dsc
Size/MD5 checksum: 769 b7a4e535383394c3be009e3a1df09bdd
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.diff.gz
Size/MD5 checksum: 33285 dc2f489812286cecb705f5b77d523a1e

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_alpha.deb
Size/MD5 checksum: 3822210 91e845e9663d5e5fd0606254484fce29
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_alpha.deb
Size/MD5 checksum: 2210464 5d4c3807d8d5d67cf99882f061bca0d8

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_amd64.deb
Size/MD5 checksum: 1325984 321bfb5960f3d0f8bd80792e7c7c5f05
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_amd64.deb
Size/MD5 checksum: 755416 e80a880d70bd4f5be5653559e664413a

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_arm.deb
Size/MD5 checksum: 1229966 70eef9e08baa248416efbd49bc064df9
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_arm.deb
Size/MD5 checksum: 672290 f30616f8250e48b794e75fbb098b8fe8

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_hppa.deb
Size/MD5 checksum: 1273442 e8518a1f26ff7ea13b04d16c760de661
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_hppa.deb
Size/MD5 checksum: 793182 9b009b750c25c3bbfb3138bfb920702d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_i386.deb
Size/MD5 checksum: 2284392 cded472858b38935b95aa798e72e0555
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_i386.deb
Size/MD5 checksum: 4642676 4f181f50322b488f9eed50fc167d0712

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_ia64.deb
Size/MD5 checksum: 1263422 b710a9e027214c21fd29f58e6cd45bc1
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_ia64.deb
Size/MD5 checksum: 1009882 18617eeb4e2056de2b0d18fe2045bbce

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mips.deb
Size/MD5 checksum: 1352460 e31e5b9e481800bfb194c3693e39e876
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mips.deb
Size/MD5 checksum: 729966 52952a3b76cfdca4ede580eaa1120a48

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mipsel.deb
Size/MD5 checksum: 718836 9cbc00898d56a3e7db3839b0eb6a087b
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mipsel.deb
Size/MD5 checksum: 1316952 f19c960283886c8c1b94d1fa2d385ca5

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_powerpc.deb
Size/MD5 checksum: 743238 792e64a2ada756b4e586eea50e2e3c3c
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_powerpc.deb
Size/MD5 checksum: 1382044 31704c8cdf8be905ebc35be75f885fc5

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_s390.deb
Size/MD5 checksum: 794166 d34483e35b01102e03c9d0dedb37f32e
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_s390.deb
Size/MD5 checksum: 1317042 7e1ab24baa1cf7c686d3b78aea6bb386

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_sparc.deb
Size/MD5 checksum: 1798892 afc22b79114ee90c8ee388e45115c6c6
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_sparc.deb
Size/MD5 checksum: 3416966 9f1463223729527bd231690d40821e10


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHDRJ9YrVLjBFATsMRAtBgAJ9KN8v5gupjCqdsrKRNhg9fxIcP9gCfQ+O3
YjNEPdqHPfLFPe4UFq/+Y8s=
=Wnfa
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1379_2_new_openssl_packages_fix_arbitrary_code_execution.html)