-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:137 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : September 28, 2011 Affected: 2010.1, 2011. _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in openssl: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation (CVE-2011-1945). crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past (CVE-2011-3207). The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages, which allows remote attackers to cause a denial of service (application crash) via out-of-order messages that violate the TLS protocol (CVE-2011-3210). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: bd60d1b484309734bc8071f8d56c78d4 2010.1/i586/libopenssl1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm db2a2d676ab59df2a7077f0888cbc7f5 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.8mdv2010.2.i586.rpm bbf3789a5da46dc0dde527352f15bb2d 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.i586.rpm 9a757b9d019b952696fbbf1bdb80571e 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.8mdv2010.2.i586.rpm 2527313d11471e17bac3309941f7aaf8 2010.1/i586/openssl-1.0.0a-1.8mdv2010.2.i586.rpm e9dbe57d404042917b3ed2bf233f2e41 2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 6c11f02b7a582a4ff2129f3f4183ffdd 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm 16eb55a62466f8c8bb7b642011dea54a 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm 080662986ef9f21128c2c4bca3d9e0aa 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.8mdv2010.2.x86_64.rpm b58cfdb41d740a2176ea2f9d2a33cae5 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.8mdv2010.2.x86_64.rpm 6a8f48aea469d9183725bd22acfab8cc 2010.1/x86_64/openssl-1.0.0a-1.8mdv2010.2.x86_64.rpm e9dbe57d404042917b3ed2bf233f2e41 2010.1/SRPMS/openssl-1.0.0a-1.8mdv2010.2.src.rpm Mandriva Linux 2011: 5fd58662d6a52ac88efe81f989fc9ede 2011/i586/libopenssl1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm aa9043268df01b6785c988947731908b 2011/i586/libopenssl-devel-1.0.0d-2.1-mdv2011.0.i586.rpm 3b749c8a41b714e84bd7732cd6ee5089 2011/i586/libopenssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.i586.rpm 77d9dbad979416dd1b4af54b463c9858 2011/i586/libopenssl-static-devel-1.0.0d-2.1-mdv2011.0.i586.rpm fb567a8bafc6b42337c85a0f33ff33cb 2011/i586/openssl-1.0.0d-2.1-mdv2011.0.i586.rpm 175e8639972a6d4fd2a632ef77a879b2 2011/SRPMS/openssl-1.0.0d-2.1.src.rpm Mandriva Linux 2011/X86_64: 93891e6f060d2079ea9a4a949fe40a25 2011/x86_64/lib64openssl1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm 02a059bdb85b00ebcf029ed62142b5f6 2011/x86_64/lib64openssl-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm 136b35ff7bff01b4791b7b366cff6c88 2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.1-mdv2011.0.x86_64.rpm 1aaf1d105b86c1be2a367d4189c12c3b 2011/x86_64/lib64openssl-static-devel-1.0.0d-2.1-mdv2011.0.x86_64.rpm 766878bba443c3d2163451d383591e79 2011/x86_64/openssl-1.0.0d-2.1-mdv2011.0.x86_64.rpm 175e8639972a6d4fd2a632ef77a879b2 2011/SRPMS/openssl-1.0.0d-2.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOgzHYmqjQ0CJFipgRAsTZAKDW2iAKcrQ2Wn3WUQOZKyrtR0wF/gCdE7Wq p8MJC4PHvZEv/WH8jrDBGB0= =oOhw -----END PGP SIGNATURE-----