Mandriva Linux Security Advisory 2011-028 - Incorrectly formatted ClientHello handshake message could cause OpenSSL to parse past the end of the message. This allows an attacker to crash an application using OpenSSL by triggering an invalid memory access. Additionally, some applications may be vulnerable to expose contents of a parsed OCSP nonce extension.
2b7b0d41ceaac24980fc028cbc657ac4083b57ea934c5280858484dfc8348854-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:028
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : February 15, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in openssl:
Incorrectly formatted ClientHello handshake message could cause
OpenSSL to parse past the end of the message. This allows an attacker
to crash an application using OpenSSL by triggering an invalid memory
access. Additionally, some applications may be vulnerable to expose
contents of a parsed OCSP nonce extension (CVE-2011-0014).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
http://www.openssl.org/news/secadv_20110208.txt
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
38f625b6d5fbbe74a8c228aa2261e2dd 2009.0/i586/libopenssl0.9.8-0.9.8h-3.10mdv2009.0.i586.rpm
fc61b0714b019365cc6f927b37fc3d10 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.10mdv2009.0.i586.rpm
544527692f55e0a1dd59dc6370ab020b 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.10mdv2009.0.i586.rpm
41849ac9f12a2e2cff0e3944fa6e984e 2009.0/i586/openssl-0.9.8h-3.10mdv2009.0.i586.rpm
4f1f59751b6c48966dd85c761c822762 2009.0/SRPMS/openssl-0.9.8h-3.10mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
83790a38803c0b6622ba71a538653469 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.10mdv2009.0.x86_64.rpm
a7e8ca42a278289153a426ff6e63f2d4 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.10mdv2009.0.x86_64.rpm
a31de505d5ef07d262fcef09f7846b2c 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.10mdv2009.0.x86_64.rpm
a2c3c6535501e1d1d1af0a819b38ec20 2009.0/x86_64/openssl-0.9.8h-3.10mdv2009.0.x86_64.rpm
4f1f59751b6c48966dd85c761c822762 2009.0/SRPMS/openssl-0.9.8h-3.10mdv2009.0.src.rpm
Mandriva Linux 2010.0:
abdfb70b4da472be8e39ebb4c469931c 2010.0/i586/libopenssl0.9.8-0.9.8k-5.5mdv2010.0.i586.rpm
8d36690ea49e17af8473f5005b4c2016 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.5mdv2010.0.i586.rpm
0a34f7cfdbf7ef06a469713ab51d4c4b 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.5mdv2010.0.i586.rpm
572cf6c010a3eab274382ab47611a83f 2010.0/i586/openssl-0.9.8k-5.5mdv2010.0.i586.rpm
70d71de478326bc6db05ca545526e0d0 2010.0/SRPMS/openssl-0.9.8k-5.5mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
1dca8566715761fca736dd8c99bee27f 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.5mdv2010.0.x86_64.rpm
3832de97378a5d8f770bba220bec3d03 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.5mdv2010.0.x86_64.rpm
e50266dff1a542a2a2309d805f694b84 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.5mdv2010.0.x86_64.rpm
52bc3bbedec0b2a71498803cd3018b8a 2010.0/x86_64/openssl-0.9.8k-5.5mdv2010.0.x86_64.rpm
70d71de478326bc6db05ca545526e0d0 2010.0/SRPMS/openssl-0.9.8k-5.5mdv2010.0.src.rpm
Mandriva Linux 2010.1:
3126c0a905b6ae07b8c163caeefecd25 2010.1/i586/libopenssl1.0.0-1.0.0a-1.7mdv2010.2.i586.rpm
748782b5675681018f3f964da652f5da 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.7mdv2010.2.i586.rpm
73b260f3546ac32de35983b51540af7d 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.7mdv2010.2.i586.rpm
38db90137c3f027973f24d65271a2034 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.7mdv2010.2.i586.rpm
3acf9314ae1419ede25c3897ddbad817 2010.1/i586/openssl-1.0.0a-1.7mdv2010.2.i586.rpm
14a8046b861371a26ea8e9e2ea9766de 2010.1/SRPMS/openssl-1.0.0a-1.7mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
d03e0887fd3deee9d7da9825947a77c7 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.7mdv2010.2.x86_64.rpm
78040f53c574a206638ec1178c07deb7 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.7mdv2010.2.x86_64.rpm
04128b65a742b8e4aee51f927caebd53 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.7mdv2010.2.x86_64.rpm
3a9f13a9b7bc7c3dd49ba3f16d7c8cec 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.7mdv2010.2.x86_64.rpm
529279fa75b63feb3ff983eda628a416 2010.1/x86_64/openssl-1.0.0a-1.7mdv2010.2.x86_64.rpm
14a8046b861371a26ea8e9e2ea9766de 2010.1/SRPMS/openssl-1.0.0a-1.7mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
679657e8095b9f35b76cb37b68dec4a3 mes5/i586/libopenssl0.9.8-0.9.8h-3.10mdvmes5.1.i586.rpm
1b6c52db36f80ce13f0afe0f7ba8764b mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.10mdvmes5.1.i586.rpm
e7524e8012965ba844b10b3bd959e83b mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.10mdvmes5.1.i586.rpm
02d59168920e768c675980ebf75d6e5b mes5/i586/openssl-0.9.8h-3.10mdvmes5.1.i586.rpm
74fea583176d9359d81582fac7231115 mes5/SRPMS/openssl-0.9.8h-3.10mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
feb6b9d69fb30d1ffeee75aa29adfbcf mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.10mdvmes5.1.x86_64.rpm
906bc832bdc3eab2be0607c652bc9e27 mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.10mdvmes5.1.x86_64.rpm
13b2d02811444360c297f0285aa730f5 mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.10mdvmes5.1.x86_64.rpm
a625419f50968b2d061efd1d3bd5ca0c mes5/x86_64/openssl-0.9.8h-3.10mdvmes5.1.x86_64.rpm
74fea583176d9359d81582fac7231115 mes5/SRPMS/openssl-0.9.8h-3.10mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNWkFRmqjQ0CJFipgRAjjZAJ9kufr217x2SWKK2qesg6dU8BhlmwCfan5+
ceA1GpGvgGf42DP3C9B9lrA=
=J3/x
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed