Search This Blog

Monday, November 22, 2010

[SECURITY] [DSA-2125-1] New openssl packages fix buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2125-1 security@debian.org
http://www.debian.org/security/ Stefan Fritsch
November 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian Bug : 603709
CVE Id(s) : CVE-2010-3864

A flaw has been found in the OpenSSL TLS server extension code parsing
which on affected servers can be exploited in a buffer overrun attack.
This allows an attacker to cause an appliation crash or potentially to
execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: A server
is vulnerable if it is multi-threaded and uses OpenSSL's internal caching
mechanism. In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround) are NOT
affected.

This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.

A note to users of the tor packages from the Debian backports or Debian
volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.

For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.9.8o-3.

We recommend that you upgrade your openssl packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
Size/MD5 checksum: 60451 9aba44ed40b0c9c8ec82bd6cd33c44b8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2583248 3b3f0cbec4ec28eb310466237648db8f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 1028998 79fe8cdd601aecd9f956033a04fb8da5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
Size/MD5 checksum: 722114 a388304bf86381229c306e79a5e85bf8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 4369318 c3cf8c7ec27f86563c34f45e986e17c4

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 975850 778916e8b0df8e216121cd5185d7ca43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
Size/MD5 checksum: 638414 9ea111d66ac5f394d35fb69defa5dd27
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1627632 9f08e1da5cf9279cee4700e89dc6ee6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1043320 9ada82a7417c0d714a38c3a7184c2401

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
Size/MD5 checksum: 536038 a9c90bb3ad326fa43c1285c1768df046
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 2087048 bded4e624fcf0791ae0885aa18d99123
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1028894 20784774078f02ef7e9db2ddbd7d5548
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1490666 700c80efddb108b3e2a65373cc10dcc8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 844426 4cad5651a6d37ab19fb80b05a423598d

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1029206 6c6c35731ecacfc0280520097ee183d4
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
Size/MD5 checksum: 540780 3b9ab48015bbd4dfc1ab205b42f1113d
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 2100958 fbf2c222a504e09e30f73cb0740a73a5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 850286 3e656a0805eb31600f8e3e520a2a6e36

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 2268562 8cb4805915dfde8326fde4281c9aaa76
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 969104 805c95116706c82051a5d08efce729e5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1047026 2e06d411c0a8764db3504638d3b59ef9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb
Size/MD5 checksum: 1528456 de6a4129635ee4565696198ce3423674
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb
Size/MD5 checksum: 634504 bab8594389626190b71ee97bfb46fa71

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2108452 d75ba6c13fc77dd3eefddde480a05231
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 5393290 14bf0f44b8c802e47834234be834d80b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 2977384 bf4c26767b006694843d036ebdca132a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb
Size/MD5 checksum: 591782 bf5007e22e4bd31445458a5379086103
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb
Size/MD5 checksum: 1035868 64085f2b106009533bda0309f08548af

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 2666530 42cdae406ce22e3e538f0d744f043a39
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1465582 33c84255a9515a9a528cbf3df9398ef5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb
Size/MD5 checksum: 865352 9cbc10e393eb3d30d34ea384c6f1f9f5
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1105090 cc7485d310d4770c2b1e93c6d74dcc2b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb
Size/MD5 checksum: 1280654 fde186a4983ac6cafcd3d5ec7e1d6f98

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1025868 8b7f565c4c0a15b15f20f2e074bb503a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 900162 391ac436c8d7ed7b55a8ea9e90c7d8be
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 2307960 227ac5c7b409d061222b94bc40e8cd18
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb
Size/MD5 checksum: 1622826 8a4f73d6cd497076490404a2dade26ba
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb
Size/MD5 checksum: 585108 d8447df55a530959b6cd9d5d3039c0da

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1012186 4a154b5c4d864f7dcd0bf019dfb41c5d
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 1588308 1222eb6b1870602335ef0722b7047b6a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb
Size/MD5 checksum: 572370 a2535f616be099e9361a55637c3375d3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 2295070 7446121759684083870d5ae0d26969c0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb
Size/MD5 checksum: 885668 3745e7c578002628f78f02bd5afeb84f

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1643808 43814c865d098046bc1dca1920820354
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 1047060 5c45e5a5d02f856cb9dc29029d0b5557
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb
Size/MD5 checksum: 656166 309fdeebe15bbecbe8c55dbd5ddbdd3a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 997540 f4bf73493f3964b8a23bdd424694f079
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb
Size/MD5 checksum: 2251238 35f6f59b07e57eb538da19545a733d5f

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb
Size/MD5 checksum: 693040 26cab41169c6b8f64ce7936a2ea65a7b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1051130 f67b4fd152e1175f81022ffd345d6c78
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 2231782 c7796fff8c97bbf0c5ab69440cbd50f9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1602496 a9595ac98fc11015dd4bb2634416197b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb
Size/MD5 checksum: 1024562 ff293933ef4eb5e952659fe7caf82c8b

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2290536 e5c655fbcc524fe7bb56945cc8b2f5d1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 3868850 b9cbaa2cbb2cfa4aa1dce984148dba4b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 2146488 d0c17736c2b26a97491e34321ffff3f5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb
Size/MD5 checksum: 580510 28ab74855c8a34bb002b44fd7ecb8997
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb
Size/MD5 checksum: 1043044 d78ffaf44d1177b05fa0cfb02d76128a


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFM6s9pbxelr8HyTqQRAiJhAJ0Y0CILcBegVemwxzdg+Hhf9vdZfwCdFjaL
oaCxRqRAbcvYcQGmQ289dj0=
=Ckey
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/E1PKcoy-0007uN-7h@chopin.debian.org

No comments: