Debian Security Advisory

DSA-1888-1 openssl, openssl097 -- cryptographic weakness

Date Reported:
15 Sep 2009
Affected Packages:
openssl, openssl097
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-2409.
More information:

Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they're no longer considered cryptographically secure.

For the stable distribution (lenny), this problem has been fixed in version 0.9.8g-15+lenny5.

For the old stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch9 for openssl and version 0.9.7k-3.1etch5 for openssl097. The OpenSSL 0.9.8 update for oldstable (etch) also provides updated packages for multiple denial of service vulnerabilities in the Datagram Transport Layer Security implementation. These fixes were already provided for Debian stable (Lenny) in a previous point update. The OpenSSL 0.9.7 package from oldstable (Etch) is not affected. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387)

For the unstable distribution (sid), this problem has been fixed in version 0.9.8k-5.

We recommend that you upgrade your openssl packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.dsc
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.diff.gz
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_alpha.udeb
AMD64:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_amd64.udeb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_i386.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_ia64.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_mips.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_powerpc.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_sparc.udeb

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_alpha.udeb
AMD64:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_amd64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_amd64.udeb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_arm.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_armel.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_armel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_hppa.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_i386.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_ia64.udeb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_mips.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_mipsel.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_mipsel.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_s390.udeb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny5_sparc.udeb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny5_sparc.deb

MD5 checksums of the listed files are available in the original advisory.