Debian Security Advisory

DSA-2125-1 openssl -- buffer overflow

Date Reported:
22 Nov 2010
Affected Packages:
openssl
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 603709.
In Mitre's CVE dictionary: CVE-2010-3864.
More information:

A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. This allows an attacker to cause an application crash or potentially to execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: a server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

This upgrade fixes this issue. After the upgrade, any services using the openssl libraries need to be restarted. The checkrestart script from the debian-goodies package or lsof can help to find out which services need to be restarted.

A note to users of the tor packages from the Debian backports or Debian volatile: this openssl update causes problems with some versions of tor. You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2, respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable is not affected by these problems.

For the stable distribution (lenny), the problem has been fixed in openssl version 0.9.8g-15+lenny9.

For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.9.8o-3.

We recommend that you upgrade your openssl packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb

MD5 checksums of the listed files are available in the original advisory.