Säkerhetsbulletin från Debian
DSA-1970-1 openssl -- överbelastningsattack
- Rapporterat den:
- 2010-01-13
- Berörda paket:
- openssl
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2009-4355.
- Ytterligare information:
-
Det upptäcktes att en ansenlig minnesläcka kunde inträffa i OpenSSL, relaterad till återinitialiseringen av zlib. Detta kunde resultera i en utifrån åtkomlig överbelastningssårbarhet vid användning av Apache httpd-servern i en konfiguration där utökningarna mod_ssl, mod_php5 och php5-curl är laddade.
Den gamla stabila utgåvan (Etch) påverkas inte av detta problem.
För den stabila utgåvan (Lenny) har detta problem rättats i version 0.9.8g-15+lenny6.
Paket för arm-arkitekturen är inte inkluderade i denna bulletin. De kommer släppas så snart de blir tillgängliga.
För uttestningsutgåvan (Squeeze) och den instabila utgåvan (Sid) kommer detta problem att rättas inom kort. Problemet verkar inte gå att utnyttja med apache2-paketet i Squeeze/Sid.
Vi rekommenderar att ni uppgraderar era openssl-paket. Ni behöver även starta om er Apache httpd-server för att se till att den använder de uppdaterade biblioteken.
- Rättat i:
-
Debian GNU/Linux 5.0 (lenny)
- Källkod:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_alpha.udeb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_amd64.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_amd64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_amd64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_amd64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_armel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_armel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_armel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_armel.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_hppa.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_ia64.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mips.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mips.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mipsel.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_powerpc.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_s390.udeb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_s390.udeb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_sparc.udeb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.