Mandrakesoft has released updated OpenSSL packages for Mandrakelinux
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2004:023
Date: March 17th, 2004
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a null-pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CAN-2004-0079 to this issue.
Another vulnerability was discovered by Stephen Henson in OpenSSL versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. CVE has assigned CAN-2004-0112 to this issue.
Mandrakesoft urges users to upgrade to the packages provided that have been patched to protect against these problems. We would also like to thank NISCC for their assistance in coordinating the disclosure of these problems.
Please note that you will need to restart any SSL-enabled services for the patch to be effective, including (but not limited to) Apache, OpenLDAP, etc.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
______________________________________________________________________
Updated Packages:
Corporate Server 2.1:
aa5e93c4668cd1f4ef8091c260e6c274 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.i586.rpm
d1923437255ae0b50c5e1e8d40e3c0ee corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.i586.rpm
5e3ffcaa0291845b69c555f0961e610a corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.i586.rpm
ceefc8ac27966d4f7311f2fcff37b6c8 corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.i586.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1 corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
d1f2609c2fd600a73504a92c6b96ad0b x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.x86_64.rpm
dec9c21de8362901562041c8a960a249 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
951e43064657332318113f20c77cadf1 x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
47a86a2f8219baa9504f01e1cf6de640 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.x86_64.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm
Mandrakelinux 9.0:
f240a851cd1e2350485c01937c03954a 9.0/RPMS/libopenssl0-0.9.6i-1.7.90mdk.i586.rpm
44163de2b87935272550f1ee76df3bea 9.0/RPMS/libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm
8692dc3bc8235e0ee0279c197fd7f2ee 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm
fb67c8105ee757e0be521758cef6c3ad 9.0/RPMS/openssl-0.9.6i-1.7.90mdk.i586.rpm
2c5edca752c1bded660e811e4a14924c 9.0/SRPMS/openssl-0.9.6i-1.7.90mdk.src.rpm
Mandrakelinux 9.1:
675ca1ba5d7fbf2246a47ddb2c3b9b51 9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.i586.rpm
4f916449cf69b4246b6d31313082b836 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm
e96d97d6abc80a2b876fa412a94513ee 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm
6f51829b630e60f1296571f06fdf31ad 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm
cf731928a2a17b67ecc3a1592300842d 9.1/RPMS/openssl-0.9.7a-1.3.91mdk.i586.rpm
7034cb0be4e172d30fe2d68a6bec27b3 9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24 9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
6a083899b5c52877e9bed2e21b030918 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.ppc.rpm
0e3eee09e1f2ceb59422f4ff0ce4a073 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.ppc.rpm
71a44d67de3c656025f9d9df93e690df ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.ppc.rpm
bfba9442501c5c618f1f3953728de8fe ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.ppc.rpm
fd0cae85733542b6e5edc422c6e85272 ppc/9.1/RPMS/openssl-0.9.7a-1.3.91mdk.ppc.rpm
7034cb0be4e172d30fe2d68a6bec27b3 ppc/9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm
Mandrakelinux 9.2:
ca7d2493b21406d07d8c4c95e8768c47 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm
b0f4e7317a0ffa549394590bb3814216 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm
cf3c227a00a1f738915768a860fabf24 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm
34b175885ae59b3a089b11a02039d88a 9.2/RPMS/openssl-0.9.7b-4.2.92mdk.i586.rpm
006292d74c144ace0a288ab444493788 9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
34246401bd6d2b211ea366d0673b2ce6 amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-4.2.92mdk.amd64.rpm
87b4e7fbeaf3640f94d67e1bd6bfc593 amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk.amd64.rpm
a3c9c929398a68ce06cce5fd537f4387 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk.amd64.rpm
85155f93b8c769759b901b44f71974dd amd64/9.2/RPMS/openssl-0.9.7b-4.2.92mdk.amd64.rpm
006292d74c144ace0a288ab444493788 amd64/9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm
Multi Network Firewall 8.2:
99eb1a2e1e97c207d39f5882c4acafe5 mnf8.2/RPMS/libopenssl0-0.9.6i-1.6.M82mdk.i586.rpm
e9564e5b55b8fdf4b8e8af1b1c0c56a2 mnf8.2/RPMS/openssl-0.9.6i-1.6.M82mdk.i586.rpm
1ae8ea6a7254b5abe1cbc0a6bca66997 mnf8.2/SRPMS/openssl-0.9.6i-1.6.M82mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to update.
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: openssl
Advisory ID: MDKSA-2004:023
Date: March 17th, 2004
Affected versions: 9.0, 9.1, 9.2, Corporate Server 2.1,
Multi Network Firewall 8.2
______________________________________________________________________
Problem Description:
A vulnerability was discovered by the OpenSSL group using the Codenomicon TLS Test Tool. The test uncovered a null-pointer assignment in the do_change_cipher_spec() function whih could be abused by a remote attacker crafting a special SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application in question, this could lead to a Denial of Service (DoS). This vulnerability affects both OpenSSL 0.9.6 (0.9.6c-0.9.6k) and 0.9.7 (0.9.7a-0.9.7c). CVE has assigned CAN-2004-0079 to this issue.
Another vulnerability was discovered by Stephen Henson in OpenSSL versions 0.9.7a-0.9.7c; there is a flaw in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. CVE has assigned CAN-2004-0112 to this issue.
Mandrakesoft urges users to upgrade to the packages provided that have been patched to protect against these problems. We would also like to thank NISCC for their assistance in coordinating the disclosure of these problems.
Please note that you will need to restart any SSL-enabled services for the patch to be effective, including (but not limited to) Apache, OpenLDAP, etc.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
______________________________________________________________________
Updated Packages:
Corporate Server 2.1:
aa5e93c4668cd1f4ef8091c260e6c274 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.i586.rpm
d1923437255ae0b50c5e1e8d40e3c0ee corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.i586.rpm
5e3ffcaa0291845b69c555f0961e610a corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.i586.rpm
ceefc8ac27966d4f7311f2fcff37b6c8 corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.i586.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1 corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm
Corporate Server 2.1/x86_64:
d1f2609c2fd600a73504a92c6b96ad0b x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.7.C21mdk.x86_64.rpm
dec9c21de8362901562041c8a960a249 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
951e43064657332318113f20c77cadf1 x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.7.C21mdk.x86_64.rpm
47a86a2f8219baa9504f01e1cf6de640 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.7.C21mdk.x86_64.rpm
9c85e7f857a7ebcf707ac6e65d32ceb1 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.7.C21mdk.src.rpm
Mandrakelinux 9.0:
f240a851cd1e2350485c01937c03954a 9.0/RPMS/libopenssl0-0.9.6i-1.7.90mdk.i586.rpm
44163de2b87935272550f1ee76df3bea 9.0/RPMS/libopenssl0-devel-0.9.6i-1.7.90mdk.i586.rpm
8692dc3bc8235e0ee0279c197fd7f2ee 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.7.90mdk.i586.rpm
fb67c8105ee757e0be521758cef6c3ad 9.0/RPMS/openssl-0.9.6i-1.7.90mdk.i586.rpm
2c5edca752c1bded660e811e4a14924c 9.0/SRPMS/openssl-0.9.6i-1.7.90mdk.src.rpm
Mandrakelinux 9.1:
675ca1ba5d7fbf2246a47ddb2c3b9b51 9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.i586.rpm
4f916449cf69b4246b6d31313082b836 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.i586.rpm
e96d97d6abc80a2b876fa412a94513ee 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.i586.rpm
6f51829b630e60f1296571f06fdf31ad 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.i586.rpm
cf731928a2a17b67ecc3a1592300842d 9.1/RPMS/openssl-0.9.7a-1.3.91mdk.i586.rpm
7034cb0be4e172d30fe2d68a6bec27b3 9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24 9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
6a083899b5c52877e9bed2e21b030918 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.3.91mdk.ppc.rpm
0e3eee09e1f2ceb59422f4ff0ce4a073 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.3.91mdk.ppc.rpm
71a44d67de3c656025f9d9df93e690df ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.3.91mdk.ppc.rpm
bfba9442501c5c618f1f3953728de8fe ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.3.91mdk.ppc.rpm
fd0cae85733542b6e5edc422c6e85272 ppc/9.1/RPMS/openssl-0.9.7a-1.3.91mdk.ppc.rpm
7034cb0be4e172d30fe2d68a6bec27b3 ppc/9.1/SRPMS/openssl-0.9.7a-1.3.91mdk.src.rpm
fafa5780fe61503df1a92215e6dfdb24 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.3.91mdk.src.rpm
Mandrakelinux 9.2:
ca7d2493b21406d07d8c4c95e8768c47 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.2.92mdk.i586.rpm
b0f4e7317a0ffa549394590bb3814216 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.2.92mdk.i586.rpm
cf3c227a00a1f738915768a860fabf24 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.2.92mdk.i586.rpm
34b175885ae59b3a089b11a02039d88a 9.2/RPMS/openssl-0.9.7b-4.2.92mdk.i586.rpm
006292d74c144ace0a288ab444493788 9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
34246401bd6d2b211ea366d0673b2ce6 amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-4.2.92mdk.amd64.rpm
87b4e7fbeaf3640f94d67e1bd6bfc593 amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-4.2.92mdk.amd64.rpm
a3c9c929398a68ce06cce5fd537f4387 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-4.2.92mdk.amd64.rpm
85155f93b8c769759b901b44f71974dd amd64/9.2/RPMS/openssl-0.9.7b-4.2.92mdk.amd64.rpm
006292d74c144ace0a288ab444493788 amd64/9.2/SRPMS/openssl-0.9.7b-4.2.92mdk.src.rpm
Multi Network Firewall 8.2:
99eb1a2e1e97c207d39f5882c4acafe5 mnf8.2/RPMS/libopenssl0-0.9.6i-1.6.M82mdk.i586.rpm
e9564e5b55b8fdf4b8e8af1b1c0c56a2 mnf8.2/RPMS/openssl-0.9.6i-1.6.M82mdk.i586.rpm
1ae8ea6a7254b5abe1cbc0a6bca66997 mnf8.2/SRPMS/openssl-0.9.6i-1.6.M82mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to update.