Debian: New openssl packages fix arbitrary code execution

    Date02 Oct 2006
    CategoryDebian
    3749
    Posted ByLinuxSecurity Advisories
    The fix used to correct CVE-2006-2940 introduced code that could lead to the use of uninitialized memory. Such use is likely to cause the application using the openssl library to crash, and has the potential to allow an attacker to cause the execution of arbitrary code.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1185-2                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    	
    http://www.debian.org/security/                             Noah Meyerhans
    October 2nd, 2006                       http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : openssl
    Vulnerability  : denial of service
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CVE-2006-2940
    
    The fix used to correct CVE-2006-2940 introduced code that could lead to
    the use of uninitialized memory.  Such use is likely to cause the
    application using the openssl library to crash, and has the potential to
    allow an attacker to cause the execution of arbitrary code.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 0.9.7e-3sarge4.
    
    For the unstable and testing distributions (sid and etch,
    respectively), these problems will be fixed in version 0.9.7k-3 of the
    openssl097 compatibility libraries, and version 0.9.8c-3 of the
    openssl package.
    
    We recommend that you upgrade your openssl package.  Note that
    services linking against the openssl shared libraries will need to be
    restarted. Common examples of such services include most Mail
    Transport Agents, SSH servers, and web servers.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc
          Size/MD5 checksum:      639 179f34093d860afff66964b5f1c99ee3
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz
          Size/MD5 checksum:    29707 0b4d462730327aba5a751bd4bec71c10
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
          Size/MD5 checksum:  3043231 a8777164bca38d84e5eb2b1535223474
    
      Alpha architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb
          Size/MD5 checksum:  3341886 f0d0ef51fac89227b0d0705116439f5c
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb
          Size/MD5 checksum:  2448092 8065c52c7649f36221f8a48adfb4cb29
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb
          Size/MD5 checksum:   930234 5953c4c4a45352d41c3c414eda63ff00
    
      AMD64 architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb
          Size/MD5 checksum:  2693980 cbd25bbed17ec73561337bfc3d8ed2ed
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb
          Size/MD5 checksum:   769904 2671cdf2f48013617ea509daac2bb4dc
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb
          Size/MD5 checksum:   903782 e370684d7c84d1eebcb69cdda35c6c6c
    
      ARM architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb
          Size/MD5 checksum:  2556330 75c1a253ddad0b7ad87053552770e5c4
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb
          Size/MD5 checksum:   690202 ccd435ca2c183940152f3bd70d84ee0b
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb
          Size/MD5 checksum:   894144 2e5caaa90184d9ee9e607d18728e6f93
    
      HP Precision architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb
          Size/MD5 checksum:  2695990 58fe1a247ef47faa559eef610b437db6
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb
          Size/MD5 checksum:   791382 f0c64d06307af937218944d6d8db6e2f
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb
          Size/MD5 checksum:   914576 631c681a3c4ce355962a7c684767a155
    
      Intel IA-32 architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb
          Size/MD5 checksum:  2554956 c4c9aa14e74dbd6dac2cadd7cf48b522
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb
          Size/MD5 checksum:  2265180 9047b6c6036c048ad75fa397f220ae39
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb
          Size/MD5 checksum:   906268 070d1d1680f90da5509121c44de7a254
    
      Intel IA-64 architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb
          Size/MD5 checksum:  3396206 3a3d88238a48d33b39e7575a97c6cfdf
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb
          Size/MD5 checksum:  1038432 e2e4e1d388c5d45c8d30e16d661ad24c
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb
          Size/MD5 checksum:   975152 1783b49f3b7a12bd18dff0fcc37f5d68
    
      Motorola 680x0 architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb
          Size/MD5 checksum:  2317348 b4930b1cf5e642bf509d44dd83de193f
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb
          Size/MD5 checksum:   661716 d5fb4eb5947c8765e268696e94a46a8b
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb
          Size/MD5 checksum:   889932 e1ecef3780edd38743246dfda1424e8c
    
      Big endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb
          Size/MD5 checksum:  2779464 591dbe4f6d73d56c9e9ff72f2d0a5385
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb
          Size/MD5 checksum:   706682 0b3de7eef13969d065ed057fda34afc2
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb
          Size/MD5 checksum:   896834 e2b8f38056a06f63c3ce6c10d9d95dba
    
      Little endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb
          Size/MD5 checksum:  2767364 883d0167f6642e90e8a183b4f87a78ba
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb
          Size/MD5 checksum:   694532 f4961231ef2c2b8ff46f173338a7fa36
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb
          Size/MD5 checksum:   895922 2ad35f3927ba71d8054fe8cd4316f5b0
    
      PowerPC architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb
          Size/MD5 checksum:  2775608 0dca0ec9cf2d230ce68394849be748b1
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb
          Size/MD5 checksum:   779456 6736cdc1dfe5f19013f4dee0a2b3b1cf
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb
          Size/MD5 checksum:   908418 8759696eff63836597e4247c06ba7b22
    
      IBM S/390 architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb
          Size/MD5 checksum:  2717788 12fb63ace68a2698c19c725530ab18d9
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb
          Size/MD5 checksum:   814012 adcee88124369de1daeae0545e0517a0
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb
          Size/MD5 checksum:   918524 b93704f4ce84489d4ee163098a783962
    
      Sun Sparc architecture:
    
        http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb
          Size/MD5 checksum:  2630606 a20a47b2f291810a09fd04a4c130ddb0
        http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb
          Size/MD5 checksum:  1886152 8521da994bf2a6df3bdc457fb3e0683b
        http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb
          Size/MD5 checksum:   924556 ff8cee5f5a9653a9dd917b4ec51166ee
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"37","type":"x","order":"1","pct":51.39,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.89,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.72,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.