-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:038 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : March 26, 2012 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in openssl: The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack (CVE-2012-0884). The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250 (CVE-2012-1165). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 820b204b86b1f140bf8526725ee29650 2010.1/i586/libopenssl0.9.8-0.9.8u-0.1mdv2010.2.i586.rpm f19cb6b757e2502ba930c139ce6cd3c4 2010.1/i586/libopenssl1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm a57c57a8ebfb75f2da2ce416218655a9 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.11mdv2010.2.i586.rpm d5807ee096478bcca0d08f2145535f78 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.i586.rpm cacdcfe367accab7ee4ce75eefd1d28d 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm 8a3b57e03df92a2d421672a6495f34a0 2010.1/i586/openssl-1.0.0a-1.11mdv2010.2.i586.rpm 6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm 2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: dfb5f411e236cc9b4b3f2e005d5f0e2e 2010.1/x86_64/lib64openssl0.9.8-0.9.8u-0.1mdv2010.2.x86_64.rpm 7ee654320d85d3f3aa0bbd94bc42453b 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm 1d00d58ab6be34fd3542340300038950 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm 6c7ca81d116a60d500ffddc2f3c7fb57 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm bcdac0e2468a6e06f4078f05fdafd392 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm 836de45400c21f24fa5b21b7c706eb98 2010.1/x86_64/openssl-1.0.0a-1.11mdv2010.2.x86_64.rpm 6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm 2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm Mandriva Linux 2011: 1960675e9fe0ae8da138ecba0bf9e6b4 2011/i586/libopenssl1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm de70876cfc6918c35b89cae61ccb2788 2011/i586/libopenssl-devel-1.0.0d-2.4-mdv2011.0.i586.rpm 68696a78df495d3245034e776ececf24 2011/i586/libopenssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm fba71506079447ff67b7e52c15004221 2011/i586/libopenssl-static-devel-1.0.0d-2.4-mdv2011.0.i586.rpm f8992d4ee7b2c0d979a314593c590e8b 2011/i586/openssl-1.0.0d-2.4-mdv2011.0.i586.rpm 34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm Mandriva Linux 2011/X86_64: 89645faf8d71d72afa62c2be5d21a55b 2011/x86_64/lib64openssl1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm 2f3e7dc11f36f7f10bc26669ea0d359a 2011/x86_64/lib64openssl-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm aecefb41191efa106dc11cfdff6e5dbc 2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm ec65b7b472890dd336239605846a3a56 2011/x86_64/lib64openssl-static-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm db15536fedf4e8e8e00f1877f2939f6d 2011/x86_64/openssl-1.0.0d-2.4-mdv2011.0.x86_64.rpm 34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm Mandriva Enterprise Server 5: 4bd8479bc2fad30096d37d498240c507 mes5/i586/libopenssl0.9.8-0.9.8h-3.14mdvmes5.2.i586.rpm 33cf65c119e4d84738619a84e598aba2 mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.i586.rpm ca767a0cbeb99230946ebb35191b9df2 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.i586.rpm 9f3bba03e5aff24ecd26bae11c99af91 mes5/i586/openssl-0.9.8h-3.14mdvmes5.2.i586.rpm 65c9f262dd6b4d66069649ea1e596b4b mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: e0b68754036f1114ed20cf8199d7625d mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.14mdvmes5.2.x86_64.rpm ba2d5446973c7aecbe93ac7455cb7a7b mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm a16b1e15a2164eadf4d052f7f29080fd mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm 71e785c5e2bda4cfc189ae8adff9cd54 mes5/x86_64/openssl-0.9.8h-3.14mdvmes5.2.x86_64.rpm 65c9f262dd6b4d66069649ea1e596b4b mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPcG6AmqjQ0CJFipgRAgdKAKCe5y81j9lidhC+Mjg3Q1XMcAyosQCfe2zE JfKo2hU2JCc2U3RLbBgqRek= =vipz -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/