Debian: DSA-2125-1: New openssl packages fix buffer overflow

    Date22 Nov 2010
    CategoryDebian
    60
    Posted ByLinuxSecurity Advisories
    A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. This allows an attacker to cause an appliation crash or potentially to execute arbitrary code.
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-2125-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Stefan Fritsch
    November 22, 2010                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : openssl
    Vulnerability  : buffer overflow
    Problem type   : remote
    Debian-specific: no
    Debian Bug     : 603709
    CVE Id(s)      : CVE-2010-3864
    
    A flaw has been found in the OpenSSL TLS server extension code parsing
    which on affected servers can be exploited in a buffer overrun attack.
    This allows an attacker to cause an appliation crash or potentially to
    execute arbitrary code.
    
    However, not all OpenSSL based SSL/TLS servers are vulnerable: A server
    is vulnerable if it is multi-threaded and uses OpenSSL's internal caching
    mechanism.  In particular the Apache HTTP server (which never uses OpenSSL
    internal caching) and Stunnel (which includes its own workaround) are NOT
    affected.
    
    This upgrade fixes this issue. After the upgrade, any services using the
    openssl libraries need to be restarted. The checkrestart script from the
    debian-goodies package or lsof can help to find out which services need
    to be restarted.
    
    A note to users of the tor packages from the Debian backports or Debian
    volatile: This openssl update causes problems with some versions of tor.
    You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
    respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
    is not affected by these problems.
    
    For the stable distribution (lenny), the problem has been fixed in
    openssl version 0.9.8g-15+lenny9.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem has been fixed in version 0.9.8o-3.
    
    We recommend that you upgrade your openssl packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 5.0 alias lenny (stable)
    - -----------------------------------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
        Size/MD5 checksum:  3354792 acf70a16359bf3658bdfb74bda1c4419
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
        Size/MD5 checksum:     1973 1efb69f23999507bf2e74f5b848744af
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
        Size/MD5 checksum:    60451 9aba44ed40b0c9c8ec82bd6cd33c44b8
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
        Size/MD5 checksum:  2583248 3b3f0cbec4ec28eb310466237648db8f
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
        Size/MD5 checksum:  1028998 79fe8cdd601aecd9f956033a04fb8da5
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
        Size/MD5 checksum:   722114 a388304bf86381229c306e79a5e85bf8
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
        Size/MD5 checksum:  2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
        Size/MD5 checksum:  4369318 c3cf8c7ec27f86563c34f45e986e17c4
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
        Size/MD5 checksum:   975850 778916e8b0df8e216121cd5185d7ca43
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
        Size/MD5 checksum:  2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
        Size/MD5 checksum:   638414 9ea111d66ac5f394d35fb69defa5dd27
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
        Size/MD5 checksum:  1627632 9f08e1da5cf9279cee4700e89dc6ee6d
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
        Size/MD5 checksum:  1043320 9ada82a7417c0d714a38c3a7184c2401
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
        Size/MD5 checksum:   536038 a9c90bb3ad326fa43c1285c1768df046
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
        Size/MD5 checksum:  2087048 bded4e624fcf0791ae0885aa18d99123
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
        Size/MD5 checksum:  1028894 20784774078f02ef7e9db2ddbd7d5548
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
        Size/MD5 checksum:  1490666 700c80efddb108b3e2a65373cc10dcc8
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
        Size/MD5 checksum:   844426 4cad5651a6d37ab19fb80b05a423598d
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
        Size/MD5 checksum:  1029206 6c6c35731ecacfc0280520097ee183d4
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
        Size/MD5 checksum:   540780 3b9ab48015bbd4dfc1ab205b42f1113d
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
        Size/MD5 checksum:  2100958 fbf2c222a504e09e30f73cb0740a73a5
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
        Size/MD5 checksum:  1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
        Size/MD5 checksum:   850286 3e656a0805eb31600f8e3e520a2a6e36
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb
        Size/MD5 checksum:  2268562 8cb4805915dfde8326fde4281c9aaa76
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb
        Size/MD5 checksum:   969104 805c95116706c82051a5d08efce729e5
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb
        Size/MD5 checksum:  1047026 2e06d411c0a8764db3504638d3b59ef9
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb
        Size/MD5 checksum:  1528456 de6a4129635ee4565696198ce3423674
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb
        Size/MD5 checksum:   634504 bab8594389626190b71ee97bfb46fa71
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb
        Size/MD5 checksum:  2108452 d75ba6c13fc77dd3eefddde480a05231
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb
        Size/MD5 checksum:  5393290 14bf0f44b8c802e47834234be834d80b
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb
        Size/MD5 checksum:  2977384 bf4c26767b006694843d036ebdca132a
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb
        Size/MD5 checksum:   591782 bf5007e22e4bd31445458a5379086103
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb
        Size/MD5 checksum:  1035868 64085f2b106009533bda0309f08548af
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb
        Size/MD5 checksum:  2666530 42cdae406ce22e3e538f0d744f043a39
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb
        Size/MD5 checksum:  1465582 33c84255a9515a9a528cbf3df9398ef5
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb
        Size/MD5 checksum:   865352 9cbc10e393eb3d30d34ea384c6f1f9f5
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb
        Size/MD5 checksum:  1105090 cc7485d310d4770c2b1e93c6d74dcc2b
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb
        Size/MD5 checksum:  1280654 fde186a4983ac6cafcd3d5ec7e1d6f98
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb
        Size/MD5 checksum:  1025868 8b7f565c4c0a15b15f20f2e074bb503a
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb
        Size/MD5 checksum:   900162 391ac436c8d7ed7b55a8ea9e90c7d8be
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb
        Size/MD5 checksum:  2307960 227ac5c7b409d061222b94bc40e8cd18
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb
        Size/MD5 checksum:  1622826 8a4f73d6cd497076490404a2dade26ba
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb
        Size/MD5 checksum:   585108 d8447df55a530959b6cd9d5d3039c0da
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb
        Size/MD5 checksum:  1012186 4a154b5c4d864f7dcd0bf019dfb41c5d
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb
        Size/MD5 checksum:  1588308 1222eb6b1870602335ef0722b7047b6a
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb
        Size/MD5 checksum:   572370 a2535f616be099e9361a55637c3375d3
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb
        Size/MD5 checksum:  2295070 7446121759684083870d5ae0d26969c0
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb
        Size/MD5 checksum:   885668 3745e7c578002628f78f02bd5afeb84f
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb
        Size/MD5 checksum:  1643808 43814c865d098046bc1dca1920820354
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb
        Size/MD5 checksum:  1047060 5c45e5a5d02f856cb9dc29029d0b5557
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb
        Size/MD5 checksum:   656166 309fdeebe15bbecbe8c55dbd5ddbdd3a
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb
        Size/MD5 checksum:   997540 f4bf73493f3964b8a23bdd424694f079
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb
        Size/MD5 checksum:  2251238 35f6f59b07e57eb538da19545a733d5f
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb
        Size/MD5 checksum:   693040 26cab41169c6b8f64ce7936a2ea65a7b
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb
        Size/MD5 checksum:  1051130 f67b4fd152e1175f81022ffd345d6c78
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb
        Size/MD5 checksum:  2231782 c7796fff8c97bbf0c5ab69440cbd50f9
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb
        Size/MD5 checksum:  1602496 a9595ac98fc11015dd4bb2634416197b
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb
        Size/MD5 checksum:  1024562 ff293933ef4eb5e952659fe7caf82c8b
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb
        Size/MD5 checksum:  2290536 e5c655fbcc524fe7bb56945cc8b2f5d1
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb
        Size/MD5 checksum:  3868850 b9cbaa2cbb2cfa4aa1dce984148dba4b
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb
        Size/MD5 checksum:  2146488 d0c17736c2b26a97491e34321ffff3f5
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb
        Size/MD5 checksum:   580510 28ab74855c8a34bb002b44fd7ecb8997
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb
        Size/MD5 checksum:  1043044 d78ffaf44d1177b05fa0cfb02d76128a
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.