-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:168 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : September 1, 2010 Affected: 2010.1 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in openssl: Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue (CVE-2010-2939). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 36eb6715b26fc1ef1a284bdf90211882 2010.1/i586/libopenssl1.0.0-1.0.0a-1.1mdv2010.1.i586.rpm 4322d958620b87ebbf8f947b3bc749c1 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.1mdv2010.1.i586.rpm e5b658592f1f94e03eead2c8534ac3e7 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.i586.rpm 24286badaaca314447536442afae3d05 2010.1/i586/openssl-1.0.0a-1.1mdv2010.1.i586.rpm 11fc053a02685ab2e19fb8b8489f6e87 2010.1/i586/openssl-engines-1.0.0a-1.1mdv2010.1.i586.rpm 8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: b66215a9d6faeaa2ca60facb5c77b8cc 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.1mdv2010.1.x86_64.rpm fc3b2a6160eda7cdb55b28d4262ad82e 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm c36f145bcf88e39cb4a94cc8deec761e 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm 6fa62d5b023205f4d7d5ae3b8744c346 2010.1/x86_64/openssl-1.0.0a-1.1mdv2010.1.x86_64.rpm 899e2b1cc0b8e8dc5cab2ae96c5f29f2 2010.1/x86_64/openssl-engines-1.0.0a-1.1mdv2010.1.x86_64.rpm 8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMflSemqjQ0CJFipgRAgGiAKC5wxDgOnCHOZozhJtEKNomOIS9MQCbBP+n 97XVDZwWZmDjms2vzVvaeUI= =69w7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/