Articles / Debian: New openssl package…

Debian: New openssl packages fix denial of service

Multiple vulnerabilities have been discovered in the OpenSSL cryptographic software package that could allow an attacker to launch a denial of service attack by exhausting system resources or crashing processes on a victim's computer. During the parsing of certain invalid ASN1 structures an error condition is mishandled. This can result in an infinite loop which consumes system memory. Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in SSL_get_shared_ciphers utility function, used by some applications such as exim and mysql. An attacker could send a list of ciphers that would overrun a buffer. Tavis Ormandy and Will Drewry of the Google Security Team discovered a possible DoS in the sslv2 client code. Where a client application uses OpenSSL to make a SSLv2 connection to a malicious server that server could cause the client to crash. Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. Fixed packages are available from security.debian.org.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1185-1                    security@debian.org
http://www.debian.org/security/                             Noah Meyerhans
September 28th, 2006                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openssl
Vulnerability  : denial of service
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2940 CVE-2006-3738 CVE-2006-4343 CVE-2006-2937

Multiple vulnerabilities have been discovered in the OpenSSL
cryptographic software package that could allow an attacker to launch
a denial of service attack by exhausting system resources or crashing
processes on a victim's computer.

CVE-2006-2937
	Dr S N Henson of the OpenSSL core team and Open Network
	Security recently developed an ASN1 test suite for NISCC
	(www.niscc.gov.uk). When the test suite was run against
	OpenSSL two denial of service vulnerabilities were discovered.

	During the parsing of certain invalid ASN1 structures an error
	condition is mishandled. This can result in an infinite loop
	which consumes system memory.

	Any code which uses OpenSSL to parse ASN1 data from untrusted
	sources is affected. This includes SSL servers which enable
	client authentication and S/MIME applications.

CVE-2006-3738
	Tavis Ormandy and Will Drewry of the Google Security Team
	discovered a buffer overflow in SSL_get_shared_ciphers utility
	function, used by some applications such as exim and mysql.  An
	attacker could send a list of ciphers that would overrun a
	buffer.

CVE-2006-4343
	Tavis Ormandy and Will Drewry of the Google Security Team
	discovered a possible DoS in the sslv2 client code.  Where a
	client application uses OpenSSL to make a SSLv2 connection to
	a malicious server that server could cause the client to
	crash.

CVE-2006-2940
	Dr S N Henson of the OpenSSL core team and Open Network
	Security recently developed an ASN1 test suite for NISCC
	(www.niscc.gov.uk). When the test suite was run against
	OpenSSL a DoS was discovered.

	Certain types of public key can take disproportionate amounts
	of time to process. This could be used by an attacker in a
	denial of service attack.

For the stable distribution (sarge) these problems have been fixed in
version 0.9.7e-3sarge3.

For the unstable and testing distributions (sid and etch,
respectively), these problems will be fixed in version 0.9.7k-2 of the
openssl097 compatibility libraries, and version 0.9.8c-2 of the
openssl package.

We recommend that you upgrade your openssl package.  Note that
services linking against the openssl shared libraries will need to be
restarted. Common examples of such services include most Mail
Transport Agents, SSH servers, and web servers.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc
      Size/MD5 checksum:      639 fbf460591348b14103a3819d23164aee
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz
      Size/MD5 checksum:    29882 25e5c57ee6c86d1e4cc335937040f251
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5 checksum:  3043231 a8777164bca38d84e5eb2b1535223474

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum:  3341810 73ef8e1cafbfd142a903bd93535a2428
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum:  2448006 b42d228cd1cb48024b25f5bd7c6724b8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb
      Size/MD5 checksum:   930188 b0b9a46a47a1992ed455f993b6007450

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum:  2693668 7a6d9f9ad43192bcfe9ed22bd4c227cb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum:   703308 239e07d0029b78d339da49ea8dacb554
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb
      Size/MD5 checksum:   903744 de3413bf58707040d19a606311548ec7

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum:  2556374 4f3d5a82ab27e46f6174616dd2f0818c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum:   690118 80812ffefacc7d9800ce5286909aa815
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb
      Size/MD5 checksum:   894114 053579483c0d83c11a4b15ade5e09d3b

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum:  2695876 bee86edc3db3ac76a32efb84b1a1cfab
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum:   791316 5dfd66672700232356a26258a76bcffa
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb
      Size/MD5 checksum:   914574 bc996d3cd86b18090ee4c2f3f31dbdbc

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum:  2553694 ceea98c69ca44649ee2c98cff0364e4b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum:  2264996 111668559caa8ea95ad3100af67e163e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb
      Size/MD5 checksum:   902750 39b743a6a47517245c3fba9289c86ddf

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum:  3396192 54868b4f5c27f5dc0a65b82594aa8bb0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum:  1038386 7fcec764f3b3d3ee53588791f7588ad9
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb
      Size/MD5 checksum:   975118 18239f1932f399df0396e81a1e57e5e3

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum:  2317346 cf221d4a25c8913c1183078f1974b46b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum:   661672 1a1e72d032cbd37400a65ef7ddf9af6d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb
      Size/MD5 checksum:   889874 6eaaf9b7b9651b37437b78d7a95a562a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum:  2779474 383cc3f4bd2c75515e415c48fc6c66eb
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum:   706660 aaa773471c553fd971b3158e35ceb675
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb
      Size/MD5 checksum:   896780 21c648b8e817ce098d9d85f311163e34

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum:  2767338 bc2e40477ad28b1eedb69e6542b1ab08
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum:   694486 8c31bcea415ae3d725844e45a733d7fe
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb
      Size/MD5 checksum:   895860 8af869dc9a903f8a226d33cdcffc7eab

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum:  2775400 91f923d2f4f3938ef8a786b291865f0a
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum:   779452 3b094894ca6d75b7c86684c7cd62f5bf
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb
      Size/MD5 checksum:   908316 b93dffc572d91d9e4154b73c57b41e88

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum:  2717840 a96fb19009ddc10b1901f34e232109ae
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum:   813968 1cf6dbddb023dfe8c55d30d19bc0ff57
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb
      Size/MD5 checksum:   918504 73d2f71ec2c8ebd4cc3f481096202664

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum:  2630560 059abd03c994e3d6851f38f6f7dd5446
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum:  1886038 4900a7af6cbef9e37c902a3c14ac33ac
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb
      Size/MD5 checksum:   924472 27f194ff2250fc91d0375c02d6686272


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFHAXWXm3vHE4uyloRAmD7AJwLeogeu4DFdgEIeZzGqXEBRgAxQACghF1a
hJUT6eN7UmS2FtFj6HinBt8=
=gOnv
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.