-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:028 http://www.mandriva.com/security/ _______________________________________________________________________ Package : openssl Date : February 15, 2011 Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in openssl: Incorrectly formatted ClientHello handshake message could cause OpenSSL to parse past the end of the message. This allows an attacker to crash an application using OpenSSL by triggering an invalid memory access. Additionally, some applications may be vulnerable to expose contents of a parsed OCSP nonce extension (CVE-2011-0014). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014 http://www.openssl.org/news/secadv_20110208.txt _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 38f625b6d5fbbe74a8c228aa2261e2dd 2009.0/i586/libopenssl0.9.8-0.9.8h-3.10mdv2009.0.i586.rpm fc61b0714b019365cc6f927b37fc3d10 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.10mdv2009.0.i586.rpm 544527692f55e0a1dd59dc6370ab020b 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.10mdv2009.0.i586.rpm 41849ac9f12a2e2cff0e3944fa6e984e 2009.0/i586/openssl-0.9.8h-3.10mdv2009.0.i586.rpm 4f1f59751b6c48966dd85c761c822762 2009.0/SRPMS/openssl-0.9.8h-3.10mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 83790a38803c0b6622ba71a538653469 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.10mdv2009.0.x86_64.rpm a7e8ca42a278289153a426ff6e63f2d4 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.10mdv2009.0.x86_64.rpm a31de505d5ef07d262fcef09f7846b2c 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.10mdv2009.0.x86_64.rpm a2c3c6535501e1d1d1af0a819b38ec20 2009.0/x86_64/openssl-0.9.8h-3.10mdv2009.0.x86_64.rpm 4f1f59751b6c48966dd85c761c822762 2009.0/SRPMS/openssl-0.9.8h-3.10mdv2009.0.src.rpm Mandriva Linux 2010.0: abdfb70b4da472be8e39ebb4c469931c 2010.0/i586/libopenssl0.9.8-0.9.8k-5.5mdv2010.0.i586.rpm 8d36690ea49e17af8473f5005b4c2016 2010.0/i586/libopenssl0.9.8-devel-0.9.8k-5.5mdv2010.0.i586.rpm 0a34f7cfdbf7ef06a469713ab51d4c4b 2010.0/i586/libopenssl0.9.8-static-devel-0.9.8k-5.5mdv2010.0.i586.rpm 572cf6c010a3eab274382ab47611a83f 2010.0/i586/openssl-0.9.8k-5.5mdv2010.0.i586.rpm 70d71de478326bc6db05ca545526e0d0 2010.0/SRPMS/openssl-0.9.8k-5.5mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 1dca8566715761fca736dd8c99bee27f 2010.0/x86_64/lib64openssl0.9.8-0.9.8k-5.5mdv2010.0.x86_64.rpm 3832de97378a5d8f770bba220bec3d03 2010.0/x86_64/lib64openssl0.9.8-devel-0.9.8k-5.5mdv2010.0.x86_64.rpm e50266dff1a542a2a2309d805f694b84 2010.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8k-5.5mdv2010.0.x86_64.rpm 52bc3bbedec0b2a71498803cd3018b8a 2010.0/x86_64/openssl-0.9.8k-5.5mdv2010.0.x86_64.rpm 70d71de478326bc6db05ca545526e0d0 2010.0/SRPMS/openssl-0.9.8k-5.5mdv2010.0.src.rpm Mandriva Linux 2010.1: 3126c0a905b6ae07b8c163caeefecd25 2010.1/i586/libopenssl1.0.0-1.0.0a-1.7mdv2010.2.i586.rpm 748782b5675681018f3f964da652f5da 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.7mdv2010.2.i586.rpm 73b260f3546ac32de35983b51540af7d 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.7mdv2010.2.i586.rpm 38db90137c3f027973f24d65271a2034 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.7mdv2010.2.i586.rpm 3acf9314ae1419ede25c3897ddbad817 2010.1/i586/openssl-1.0.0a-1.7mdv2010.2.i586.rpm 14a8046b861371a26ea8e9e2ea9766de 2010.1/SRPMS/openssl-1.0.0a-1.7mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: d03e0887fd3deee9d7da9825947a77c7 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.7mdv2010.2.x86_64.rpm 78040f53c574a206638ec1178c07deb7 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.7mdv2010.2.x86_64.rpm 04128b65a742b8e4aee51f927caebd53 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.7mdv2010.2.x86_64.rpm 3a9f13a9b7bc7c3dd49ba3f16d7c8cec 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.7mdv2010.2.x86_64.rpm 529279fa75b63feb3ff983eda628a416 2010.1/x86_64/openssl-1.0.0a-1.7mdv2010.2.x86_64.rpm 14a8046b861371a26ea8e9e2ea9766de 2010.1/SRPMS/openssl-1.0.0a-1.7mdv2010.2.src.rpm Mandriva Enterprise Server 5: 679657e8095b9f35b76cb37b68dec4a3 mes5/i586/libopenssl0.9.8-0.9.8h-3.10mdvmes5.1.i586.rpm 1b6c52db36f80ce13f0afe0f7ba8764b mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.10mdvmes5.1.i586.rpm e7524e8012965ba844b10b3bd959e83b mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.10mdvmes5.1.i586.rpm 02d59168920e768c675980ebf75d6e5b mes5/i586/openssl-0.9.8h-3.10mdvmes5.1.i586.rpm 74fea583176d9359d81582fac7231115 mes5/SRPMS/openssl-0.9.8h-3.10mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: feb6b9d69fb30d1ffeee75aa29adfbcf mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.10mdvmes5.1.x86_64.rpm 906bc832bdc3eab2be0607c652bc9e27 mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.10mdvmes5.1.x86_64.rpm 13b2d02811444360c297f0285aa730f5 mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.10mdvmes5.1.x86_64.rpm a625419f50968b2d061efd1d3bd5ca0c mes5/x86_64/openssl-0.9.8h-3.10mdvmes5.1.x86_64.rpm 74fea583176d9359d81582fac7231115 mes5/SRPMS/openssl-0.9.8h-3.10mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNWkFRmqjQ0CJFipgRAjjZAJ9kufr217x2SWKK2qesg6dU8BhlmwCfan5+ ceA1GpGvgGf42DP3C9B9lrA= =J3/x -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/