Monday, August 30, 2010

[SECURITY] [DSA 2100-1] New openssl packages fix double free

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2100-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
August 30, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl
Vulnerability : double free
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2010-2939

George Guninski discovered a double free in the ECDH code of the OpenSSL
crypto library, which may lead to denial of service and potentially the
execution of arbitrary code.

For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny8.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.8o-2.

We recommend that you upgrade your openssl packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8.dsc
Size/MD5 checksum: 1973 b3bc5cc9d4396dd53408d1523e5d9922
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8.diff.gz
Size/MD5 checksum: 60148 e011a196c7a96bdcfba8e8d1c7842d7a

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_alpha.deb
Size/MD5 checksum: 1028966 c533c4f1ed722bfc684fb2aa7ae0bbaf
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_alpha.deb
Size/MD5 checksum: 2583198 ee814656292202df8e66508a78e76757
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_alpha.udeb
Size/MD5 checksum: 722118 7bfdc9cff603e3c71014987e99a33637
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_alpha.deb
Size/MD5 checksum: 2814048 c5309df7a3eff59618da50ea20e0bb1f
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_alpha.deb
Size/MD5 checksum: 4369476 8e583136a6e221ba239a305447cd55fd

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_amd64.deb
Size/MD5 checksum: 975790 04b625095430068834e3621b47749d60
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_amd64.deb
Size/MD5 checksum: 2243092 0b4a82a5a95df9d092498065e2c69d88
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_amd64.deb
Size/MD5 checksum: 1627634 e86e98d321e13f6941a5b14568cecbae
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_amd64.udeb
Size/MD5 checksum: 638416 d578d3861d7402f70d340cb138e969c8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_amd64.deb
Size/MD5 checksum: 1043270 7ccee021eceb10b6bcd55222f0f9c00f

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_arm.deb
Size/MD5 checksum: 1028840 a473c6b7dfc800b0ad4f3a2320ed34e5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_arm.deb
Size/MD5 checksum: 1490650 9032ae14c182e5adbe934b083588a785
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_arm.deb
Size/MD5 checksum: 2087038 b17611d1c503a30363357014a4523414
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_arm.udeb
Size/MD5 checksum: 536038 e44733e9826dc24561732f7885df50f3
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_arm.deb
Size/MD5 checksum: 844412 1a23967e4c4c3ad3f97c21a47e8d3bac

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_armel.deb
Size/MD5 checksum: 1031134 cfce1ef9bc3a6768ed052b23d9781cdf
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_armel.deb
Size/MD5 checksum: 849994 340a78374851cbd1aca2ea8344ba54ba
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_armel.deb
Size/MD5 checksum: 2096496 34ad0dffc16f3ff0deac8fb6e8b2cd2e
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_armel.udeb
Size/MD5 checksum: 540784 51b9cd8fee37fbd55c512db13e556b2c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_armel.deb
Size/MD5 checksum: 1506252 7d52d569cd8be4e1ce2f60cf05519ed8

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_hppa.deb
Size/MD5 checksum: 2268554 4339767f35a5fdfe0e20c11eea6f3b82
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_hppa.deb
Size/MD5 checksum: 1046972 66ba3aa9fb82893461f7dfd38c2fb586
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_hppa.deb
Size/MD5 checksum: 969042 5851386ee3b68d609533896a64701aea
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_hppa.deb
Size/MD5 checksum: 1528486 f867ab97ab589b0356b7e5085c337442
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_hppa.udeb
Size/MD5 checksum: 634500 02ad6d507ccc026810116b0e2a9d1b0c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_i386.deb
Size/MD5 checksum: 1035808 891f554f175236fed6ba2e78836efbf0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_i386.deb
Size/MD5 checksum: 2977216 e7002003f49898963b51fc60d986660b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_i386.deb
Size/MD5 checksum: 5393090 596c50c449a97cd8652e7116df06cb82
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_i386.udeb
Size/MD5 checksum: 591774 4eadb7676b04e66b2ce5a94c0fbabeaf
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_i386.deb
Size/MD5 checksum: 2108390 88d1201dbb7f7e2806f36c9c8b945c60

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_ia64.deb
Size/MD5 checksum: 2666450 490fc734a403d18fdcff30f3d4430eb7
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_ia64.deb
Size/MD5 checksum: 1465484 d44c2feba9e5e946a1f05975c010eff5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_ia64.udeb
Size/MD5 checksum: 865354 db7a81175a7687d21a7bc78651758fdc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_ia64.deb
Size/MD5 checksum: 1105058 d757a92ae7a9992aed13984efce04c27
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_ia64.deb
Size/MD5 checksum: 1280580 9302c8ec90b228b8e5c309077345a4f6

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_mips.deb
Size/MD5 checksum: 899398 f1afc1bd010c170d4c3cc1536dc18f99
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_mips.deb
Size/MD5 checksum: 2304822 7119c17aad6cedb6fe917b006cbd23aa
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_mips.udeb
Size/MD5 checksum: 585112 315040d22ee0183a8743d4f83d475e55
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_mips.deb
Size/MD5 checksum: 1624120 028858a3ea8b187e62cfbef6472d0a3d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_mips.deb
Size/MD5 checksum: 1024826 e05816850ac1042054512581efad8186

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_mipsel.deb
Size/MD5 checksum: 1588188 2d22ed0b4f0ba51a99124d02fc4f938f
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_mipsel.udeb
Size/MD5 checksum: 572372 ae996b71ca701f620f47f3f9b3adb4e5
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_mipsel.deb
Size/MD5 checksum: 2294950 4ead973a8ae6b219789383a098129f6e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_mipsel.deb
Size/MD5 checksum: 885576 d71d3da4eabce725eb9db564ed51f94f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_mipsel.deb
Size/MD5 checksum: 1012124 9852687e5a2129c070e19c174c04a57f

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_powerpc.deb
Size/MD5 checksum: 1000536 302fdfa358fa81643764272c3bfb6bd6
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_powerpc.deb
Size/MD5 checksum: 2244344 442368fa4ab11ea17fa752f66bbce767
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_powerpc.deb
Size/MD5 checksum: 1644026 fb2bb5e6d08598405cf0cbbf47aa2a08
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_powerpc.deb
Size/MD5 checksum: 1035350 41f30f1ea50b63ba43c7bdfabef0e5ca
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_powerpc.udeb
Size/MD5 checksum: 656162 a8d196b8c6ddec04bba99cf105a82f89

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_s390.deb
Size/MD5 checksum: 1602434 556df4caf296dcabe80911f991165f9d
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_s390.deb
Size/MD5 checksum: 1024524 ec70f8625e30bbdfa7da0eba25d2d1c6
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_s390.deb
Size/MD5 checksum: 2231778 293db646ff3508532b143725d18e3edb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_s390.udeb
Size/MD5 checksum: 693038 578371a2bdde98c7f1fcef9371eeaca5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_s390.deb
Size/MD5 checksum: 1051104 d0242ea2b04ad52eb795bd7a6569298d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny8_sparc.deb
Size/MD5 checksum: 3867898 081e1addfcfcea3c32fddef4570806a6
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny8_sparc.deb
Size/MD5 checksum: 1044670 bfc18d2fd2a61d2c093f0a1e2395df5c
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny8_sparc.deb
Size/MD5 checksum: 2148206 88e85ad27c456f5b68553e58de8a2d2b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny8_sparc.deb
Size/MD5 checksum: 2292216 b98676306a58912992cef47a76615171
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny8_sparc.udeb
Size/MD5 checksum: 580504 6a12e4b8e9ea08da70d48c65e59b6828


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx7++sACgkQXm3vHE4uylqvcACfRl8NYBBm3ZjNwsPcuKxBEoDn
t6kAnRce7cUminmZ1L5xjEUJ6C62Wo7j
=bFRp
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20100830184455.GA3125@galadriel.inutil.org

No comments:

Post a Comment