what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2011-137

Mandriva Linux Security Advisory 2011-137
Posted Sep 28, 2011
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-137 - The elliptic curve cryptography subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation. crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages, which allows remote attackers to cause a denial of service via out-of-order messages that violate the TLS protocol.

tags | advisory, remote, denial of service, cryptography, protocol
systems | linux, mandriva
advisories | CVE-2011-1945, CVE-2011-3207, CVE-2011-3210
SHA-256 | 83fe8b76f3683d9eb0fcf02ef6b3ea18f900160bf76d8b38af1184c342723125

Mandriva Linux Security Advisory 2011-137

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:137
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : September 28, 2011
Affected: 2010.1, 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in openssl:

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
is used for the ECDHE_ECDSA cipher suite, does not properly implement
curves over binary fields, which makes it easier for context-dependent
attackers to determine private keys via a timing attack and a lattice
calculation (CVE-2011-1945).

crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not
initialize certain structure members, which makes it easier for
remote attackers to bypass CRL validation by using a nextUpdate value
corresponding to a time in the past (CVE-2011-3207).

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during
processing of handshake messages, which allows remote attackers
to cause a denial of service (application crash) via out-of-order
messages that violate the TLS protocol (CVE-2011-3210).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.1:
bd60d1b484309734bc8071f8d56c78d4 2010.1/i586/libopenssl1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
db2a2d676ab59df2a7077f0888cbc7f5 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.8mdv2010.2.i586.rpm
bbf3789a5da46dc0dde527352f15bb2d 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.i586.rpm
9a757b9d019b952696fbbf1bdb80571e 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm
2527313d11471e17bac3309941f7aaf8 2010.1/i586/openssl-1.0.0a-1.8mdv2010.2.i586.rpm
e9dbe57d404042917b3ed2bf233f2e41 2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
6c11f02b7a582a4ff2129f3f4183ffdd 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
16eb55a62466f8c8bb7b642011dea54a 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
080662986ef9f21128c2c4bca3d9e0aa 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm
b58cfdb41d740a2176ea2f9d2a33cae5 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm
6a8f48aea469d9183725bd22acfab8cc 2010.1/x86_64/openssl-1.0.0a-1.8mdv2010.2.x86_64.rpm
e9dbe57d404042917b3ed2bf233f2e41 2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm

Mandriva Linux 2011:
5fd58662d6a52ac88efe81f989fc9ede 2011/i586/libopenssl1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
aa9043268df01b6785c988947731908b 2011/i586/libopenssl-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
3b749c8a41b714e84bd7732cd6ee5089 2011/i586/libopenssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm
77d9dbad979416dd1b4af54b463c9858 2011/i586/libopenssl-static-devel-1.0.0d-2.1-mdv2011.0.i586.rpm
fb567a8bafc6b42337c85a0f33ff33cb 2011/i586/openssl-1.0.0d-2.1-mdv2011.0.i586.rpm
175e8639972a6d4fd2a632ef77a879b2 2011/SRPMS/openssl-1.0.0d-2.1.src.rpm

Mandriva Linux 2011/X86_64:
93891e6f060d2079ea9a4a949fe40a25 2011/x86_64/lib64openssl1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
02a059bdb85b00ebcf029ed62142b5f6 2011/x86_64/lib64openssl-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
136b35ff7bff01b4791b7b366cff6c88 2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm
1aaf1d105b86c1be2a367d4189c12c3b 2011/x86_64/lib64openssl-static-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm
766878bba443c3d2163451d383591e79 2011/x86_64/openssl-1.0.0d-2.1-mdv2011.0.x86_64.rpm
175e8639972a6d4fd2a632ef77a879b2 2011/SRPMS/openssl-1.0.0d-2.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOgzHYmqjQ0CJFipgRAsTZAKDW2iAKcrQ2Wn3WUQOZKyrtR0wF/gCdE7Wq
p8MJC4PHvZEv/WH8jrDBGB0=
=oOhw
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close