-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:006 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : January 16, 2012 Affected: 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in openssl: The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack (CVE-2011-4108). Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check (CVE-2011-4109). The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer (CVE-2011-4576). The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors (CVE-2011-4619). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4576 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4619 http://www.openssl.org/news/secadv_20120104.txt _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: afa95c1b1efc52b00f763845af45725e 2010.1/i586/libopenssl0.9.8-0.9.8s-0.1mdv2010.2.i586.rpm bfb9fba942121a98979ae9e922b53a1b 2010.1/i586/libopenssl1.0.0-1.0.0a-1.9mdv2010.2.i586.rpm 0bc4b73013fff6b7cf8b118289dec204 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.9mdv2010.2.i586.rpm 940dd174dba069977b50dabe16e8b01f 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.9mdv2010.2.i586.rpm e46c355b2ed1e50204f03b77ecdbaa54 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.9mdv2010.2.i586.rpm 2e38206984014928b70803c29f820ab4 2010.1/i586/openssl-1.0.0a-1.9mdv2010.2.i586.rpm 39e24474ff4a35adfc8760c640c5cdf7 2010.1/SRPMS/openssl0.9.8-0.9.8s-0.1mdv2010.2.src.rpm 4f5b24138660a10d54f88a7db7d23ae4 2010.1/SRPMS/openssl-1.0.0a-1.9mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 493d7997720b64503d1223f0acd0ad95 2010.1/x86_64/lib64openssl0.9.8-0.9.8s-0.1mdv2010.2.x86_64.rpm 57fd5e751799263d9efea494b7954121 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.9mdv2010.2.x86_64.rpm aa8614ea58fb6e5afc35367304472652 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.9mdv2010.2.x86_64.rpm dfe821307ec7e11318a4bd15e37a7475 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.9mdv2010.2.x86_64.rpm 80423dbb1ba97b8115d000d961c08426 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.9mdv2010.2.x86_64.rpm f7fe3031b8b4ed176deb1eb7bd3917e0 2010.1/x86_64/openssl-1.0.0a-1.9mdv2010.2.x86_64.rpm 39e24474ff4a35adfc8760c640c5cdf7 2010.1/SRPMS/openssl0.9.8-0.9.8s-0.1mdv2010.2.src.rpm 4f5b24138660a10d54f88a7db7d23ae4 2010.1/SRPMS/openssl-1.0.0a-1.9mdv2010.2.src.rpm Mandriva Enterprise Server 5: 420e3b0756b3e2d54f9b3d938ed67705 mes5/i586/libopenssl0.9.8-0.9.8h-3.12mdvmes5.2.i586.rpm d03e34a594f6650d1ccc0edaf53665ac mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.12mdvmes5.2.i586.rpm a76a3e677d942d223ac346c13088ed2e mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.12mdvmes5.2.i586.rpm c031589e8f7bc6c87463c334cc74643a mes5/i586/openssl-0.9.8h-3.12mdvmes5.2.i586.rpm 60a5c08d0f8cf8455d8de874c4a5c536 mes5/SRPMS/openssl-0.9.8h-3.12mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 9bd17d8bcf25f3af4a22fe5938667f50 mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.12mdvmes5.2.x86_64.rpm 3598de5cbab06aa3c5ece65ef0c3cb5e mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.12mdvmes5.2.x86_64.rpm 4561a4c97e3d8e0f5c2b7478cce73bf5 mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.12mdvmes5.2.x86_64.rpm d72de8d2a7d5d61bbe1e289e195de87b mes5/x86_64/openssl-0.9.8h-3.12mdvmes5.2.x86_64.rpm 60a5c08d0f8cf8455d8de874c4a5c536 mes5/SRPMS/openssl-0.9.8h-3.12mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPFFPomqjQ0CJFipgRAl3XAJ98ku9J45p5DbU9rrN6ysGe/RplGQCg1ueY rXmxnKKkthEOaOLbMi8jRlg= =HfOo -----END PGP SIGNATURE-----