what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-120

Mandriva Linux Security Advisory 2009-120
Posted May 21, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-120 - Multiple security vulnerabilities has been identified and fixed in OpenSSL. The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of future epoch DTLS records that are buffered in a queue, aka DTLS record buffer limitation bug. Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka DTLS fragment handling memory leak. The updated packages have been patched to prevent this.

tags | advisory, remote, denial of service, vulnerability, memory leak
systems | linux, mandriva
advisories | CVE-2009-1377, CVE-2009-1378
SHA-256 | 7e8ebc6722e9cb207f931607e5f931703c3b62ea75e530755e6a4508a4f1894b

Mandriva Linux Security Advisory 2009-120

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:120
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : May 21, 2009
Affected: 2008.1, 2009.0, 2009.1
_______________________________________________________________________

Problem Description:

Multiple security vulnerabilities has been identified and fixed
in OpenSSL:

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k
and earlier 0.9.8 versions allows remote attackers to cause a denial
of service (memory consumption) via a large series of future epoch
DTLS records that are buffered in a queue, aka DTLS record buffer
limitation bug. (CVE-2009-1377)

Multiple memory leaks in the dtls1_process_out_of_seq_message function
in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow
remote attackers to cause a denial of service (memory consumption)
via DTLS records that (1) are duplicates or (2) have sequence numbers
much greater than current sequence numbers, aka DTLS fragment handling
memory leak. (CVE-2009-1378)

The updated packages have been patched to prevent this.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.1:
9492fe3bf022be9f7529e594844033d4 2008.1/i586/libopenssl0.9.8-0.9.8g-4.4mdv2008.1.i586.rpm
54166454819e21289e49a6e2986e7f30 2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.4mdv2008.1.i586.rpm
0ee9a01df9bc622268eb052400433de7 2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.4mdv2008.1.i586.rpm
b681fd12d6cd2bdbb85d1726b2db4a99 2008.1/i586/openssl-0.9.8g-4.4mdv2008.1.i586.rpm
217fe6c6af5265755ec2105b1f3bebaf 2008.1/SRPMS/openssl-0.9.8g-4.4mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
6409f96a04a2d3946a1b72f63a868e5d 2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.4mdv2008.1.x86_64.rpm
d00a048d4d263f28539171f89d5de1e8 2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.4mdv2008.1.x86_64.rpm
03bbd2a59f8bc5f0d1d6cb54736f024c 2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.4mdv2008.1.x86_64.rpm
797c40fa3bd86009061423713e2292c5 2008.1/x86_64/openssl-0.9.8g-4.4mdv2008.1.x86_64.rpm
217fe6c6af5265755ec2105b1f3bebaf 2008.1/SRPMS/openssl-0.9.8g-4.4mdv2008.1.src.rpm

Mandriva Linux 2009.0:
94d6f4be3c42586813be16a2270c89bf 2009.0/i586/libopenssl0.9.8-0.9.8h-3.3mdv2009.0.i586.rpm
59e4214a9e5d703a88e5c695adf498b9 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.3mdv2009.0.i586.rpm
3819b2efba54362f7e8e4a821254f258 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.3mdv2009.0.i586.rpm
ecd5bea8f1fe9dd6b4e8506c0b0705ae 2009.0/i586/openssl-0.9.8h-3.3mdv2009.0.i586.rpm
c4354a0c28d3e83b9ff529a70bede4bd 2009.0/SRPMS/openssl-0.9.8h-3.3mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
e3c14742691a67f21ed7a7c9abe775a2 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.3mdv2009.0.x86_64.rpm
b2bc687de0793a6c14649fa68c7d043b 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.3mdv2009.0.x86_64.rpm
76f91d3544039f65b77894a86a45e09c 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.3mdv2009.0.x86_64.rpm
418ef4a5a9a24fc8437baf75d8c12944 2009.0/x86_64/openssl-0.9.8h-3.3mdv2009.0.x86_64.rpm
c4354a0c28d3e83b9ff529a70bede4bd 2009.0/SRPMS/openssl-0.9.8h-3.3mdv2009.0.src.rpm

Mandriva Linux 2009.1:
9c46d7da9fb61cef36532ea0c25fd881 2009.1/i586/libopenssl0.9.8-0.9.8k-1.1mdv2009.1.i586.rpm
7a984a72c9b2c7b0549dabf4f7b353fd 2009.1/i586/libopenssl0.9.8-devel-0.9.8k-1.1mdv2009.1.i586.rpm
0e8b58b6e02958d05d19e78d9725cd45 2009.1/i586/libopenssl0.9.8-static-devel-0.9.8k-1.1mdv2009.1.i586.rpm
a32d8acd870490b6efba309da6dce043 2009.1/i586/openssl-0.9.8k-1.1mdv2009.1.i586.rpm
7b9c16777f3e88674fb65d0c28df10ff 2009.1/SRPMS/openssl-0.9.8k-1.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
8f3c93a2af5e8950bbc3846fc7f90568 2009.1/x86_64/lib64openssl0.9.8-0.9.8k-1.1mdv2009.1.x86_64.rpm
8573eab7fdffff97807255dc91154abc 2009.1/x86_64/lib64openssl0.9.8-devel-0.9.8k-1.1mdv2009.1.x86_64.rpm
a557449ae9983495e61eabaeb5300895 2009.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-1.1mdv2009.1.x86_64.rpm
99f346d65571efb2c4142aab5f074038 2009.1/x86_64/openssl-0.9.8k-1.1mdv2009.1.x86_64.rpm
7b9c16777f3e88674fb65d0c28df10ff 2009.1/SRPMS/openssl-0.9.8k-1.1mdv2009.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKFVC5mqjQ0CJFipgRAtM8AJ4rG/qVR2mmrgw4dKgmbxz/d18zMQCfa/qL
p/lIHdhpygpSxPt6iwyKWI4=
=tZ5R
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close