Debians sikkerhedsbulletin

DSA-1379-1 openssl -- forskudt med én-fejl/bufferoverløb

Rapporteret den:

2. okt 2007

Berørte pakker:

openssl

Sårbar:

Referencer i sikkerhedsdatabaser:

I Debians fejlsporingssystem: Fejl 444435.
I Mitres CVE-ordbog: CVE-2007-5135.

Yderligere oplysninger:

En forskudt med én-fejl er fundet i rutinen SSL_get_shared_ciphers() i libssl-biblioteket fra OpenSSL, en implementation af de kryptografiske biblioteker og værktøjer Secure Socket Layer. Fejlen kunne gøre det muligt for en angriber at få et program til at gå ned, hvis dette anvender OpenSSLs libssl-bibliotek, eller potentielt udføre vilkårlig kode i under en brugers sikkerhedskontekst, hvis denne kørte sådan et program.

I den gamle stabile distribution (sarge), er dette problem rettet i version 0.9.7e-3sarge5.

I den stabile distribution (etch), er dette problem rettet i version 0.9.8c-4etch1.

I den distributionerne unstable og testing (hhv. sid og lenny), er dette problem rettet i version 0.9.8e-9.

Vi anbefaler at du opgraderer dine openssl-pakker.

Rettet i:

Debian GNU/Linux 3.1 (oldstable)

Kildekode:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc
Alpha:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_i386.udeb
Intel IA-64:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_ia64.udeb
Motorola 680x0:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_m68k.udeb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mips.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mipsel.udeb
PowerPC:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_powerpc.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_s390.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_sparc.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_sparc.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.dsc; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.diff.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_alpha.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_arm.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_hppa.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_i386.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_ia64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mips.udeb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mipsel.udeb
PowerPC:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_powerpc.udeb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_s390.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_sparc.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.