Debians sikkerhedsbulletin

DSA-1379-1 openssl -- forskudt med én-fejl/bufferoverløb

Rapporteret den:
2. okt 2007
Berørte pakker:
openssl
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Debians fejlsporingssystem: Fejl 444435.
I Mitres CVE-ordbog: CVE-2007-5135.
Yderligere oplysninger:

En forskudt med én-fejl er fundet i rutinen SSL_get_shared_ciphers() i libssl-biblioteket fra OpenSSL, en implementation af de kryptografiske biblioteker og værktøjer Secure Socket Layer. Fejlen kunne gøre det muligt for en angriber at få et program til at gå ned, hvis dette anvender OpenSSLs libssl-bibliotek, eller potentielt udføre vilkårlig kode i under en brugers sikkerhedskontekst, hvis denne kørte sådan et program.

I den gamle stabile distribution (sarge), er dette problem rettet i version 0.9.7e-3sarge5.

I den stabile distribution (etch), er dette problem rettet i version 0.9.8c-4etch1.

I den distributionerne unstable og testing (hhv. sid og lenny), er dette problem rettet i version 0.9.8e-9.

Vi anbefaler at du opgraderer dine openssl-pakker.

Rettet i:

Debian GNU/Linux 3.1 (oldstable)

Kildekode:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_i386.udeb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_ia64.udeb
Motorola 680x0:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_m68k.udeb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mips.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mipsel.udeb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_sparc.deb

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_alpha.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_i386.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mips.udeb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_mipsel.udeb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_powerpc.udeb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch1_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.