exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-237

Mandriva Linux Security Advisory 2009-237
Posted Sep 21, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-237 - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws the scope of this issue is currently limited because the amount of computation required is still large. This update provides a solution to these vulnerabilities.

tags | advisory, remote, denial of service, vulnerability
systems | linux, mandriva
advisories | CVE-2009-1386, CVE-2009-2409
SHA-256 | 6b72823540faf713afc600893f4b4f73da01b097b7de2809c1b8a8f80d4521e0

Mandriva Linux Security Advisory 2009-237

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:237
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : September 21, 2009
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities was discovered and corrected in openssl:

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to
cause a denial of service (NULL pointer dereference and daemon crash)
via a DTLS ChangeCipherSpec packet that occurs before ClientHello
(CVE-2009-1386).

The NSS library library before 3.12.3, as used in Firefox; GnuTLS
before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other
products support MD2 with X.509 certificates, which might allow
remote attackers to spooof certificates by using MD2 design flaws
to generate a hash collision in less than brute-force time. NOTE:
the scope of this issue is currently limited because the amount of
computation required is still large (CVE-2009-2409).

This update provides a solution to these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
52c4eef7e013ff51da821c9739f8455c corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
ee8c84605e6073baa7ba8f7a2583688f corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
c4644081608a0322998acaff8aeb7855 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
613010dc703d61de93bfad8ccc91cc67 corporate/3.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm
141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm

Corporate 3.0/X86_64:
37a8fb11191834bd7e45ec4ccb3cdeb8 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.11.C30mdk.x86_64.rpm
9fd74f7123edae69f4bb674d35b96ef8 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
247b548bbbc772c69a3c1cc54e350d90 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.x86_64.rpm
779e9ac5fffaf96141be8ea77f963e83 corporate/3.0/x86_64/openssl-0.9.7c-3.11.C30mdk.x86_64.rpm
141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm

Corporate 4.0:
92833c7613875f935a0ac42c1ee22328 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.10.20060mlcs4.i586.rpm
6ca9508b8769fe3e0f7e25a9aa73d82d corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
ec80b2ccb7231f71fcf81cc200985d88 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.i586.rpm
efa7973f515618a3bc77f1ee8969a982 corporate/4.0/i586/openssl-0.9.7g-2.10.20060mlcs4.i586.rpm
4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
271634c0d8e82fe4a3302c04dc7d6e87 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.10.20060mlcs4.x86_64.rpm
72f2b3717cd75ab119323252e3b89e5b corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
2fb0977d4a4fce2466c05cabf64f56a6 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm
1a10542aec4bc4bfa97064c081d89f06 corporate/4.0/x86_64/openssl-0.9.7g-2.10.20060mlcs4.x86_64.rpm
4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
52c4eef7e013ff51da821c9739f8455c mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm
ee8c84605e6073baa7ba8f7a2583688f mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm
c4644081608a0322998acaff8aeb7855 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm
613010dc703d61de93bfad8ccc91cc67 mnf/2.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm
141b07323226c91355ccb28f0ad93f97 mnf/2.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKt5fFmqjQ0CJFipgRAvMNAJ4zquZZu032FYwhkb5YZgClNRot8ACfdtBs
7+ICSmUVqTQP8OAgWNIh3ow=
=2QEL
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close