Säkerhetsbulletin från Debian

DSA-465-1 openssl -- flera sårbarheter

Rapporterat den:

2004-03-17

Berörda paket:

Sårbara:

Referenser i säkerhetsdatabaser:

I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 9899.
I Mitres CVE-förteckning: CVE-2004-0079, CVE-2004-0081.
CERTs information om sårbarheter, bulletiner och incidenter: VU#288574, VU#465542.

Ytterligare information:

Två sårbarheter upptäcktes i openssl, en implementation av SSL-protokollet, med hjälp av TLS-testverktyget Codenomicon. Ytterligare information finns i NISCCs sårbarhetsbulletin och OpenSSL-bulletinen: Projektet Common Vulnerabilities and Exposures identifierar följande sårbarheter:

CAN-2004-0079
Tilldelning av null-pekare i funktionen do_change_cipher_spec(). En angripare utifrån kunde utföra en specialskriven SSL-/TLS-handskakning mot en server som använde OpenSSL-biblioteket på ett sätt som fick OpenSSL att krascha. Beroende på programmet kunde detta användas som en överbelastningsattack.
CAN-2004-0081
Ett fel i äldre versioner av OpenSSL 0.9.6 som kan användas som en överbelastningsattack (oändlig slinga).

För den stabila utgåvan (Woody) har dessa problem rättats i openssl version 0.9.6c-2.woody.6, openssl094 version 0.9.4-6.woody.4 samt openssl095 version 0.9.5a-6.woody.5.

För den instabila utgåvan (Sid) kommer dessa problem att rättas inom kort.

Vi rekommenderar att ni uppgraderar ert openssl-paket.

Rättat i:

Debian GNU/Linux 3.0 (woody)

Källkod:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.dsc; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.diff.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz; http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.dsc; http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.diff.gz; http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz; http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.dsc; http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.diff.gz; http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Arkitekturoberoende komponent:: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.6_all.deb
Alpha:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_arm.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_i386.deb; http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.3_i386.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_mips.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.