Debian: New openssl packages fix arbitrary code execution

    Date10 Oct 2007
    CategoryDebian
    2825
    Posted ByLinuxSecurity Advisories
    An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1379-2                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Noah Meyerhans
    October 10, 2007
    - ------------------------------------------------------------------------
    
    Package        : openssl097, openssl096
    Vulnerability  : off-by-one error/buffer overflow
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2007-5135
    Debian Bug     : 444435
    
    An off-by-one error has been identified in the SSL_get_shared_ciphers()
    routine in OpenSSL, an implementation of Secure Socket Layer
    cryptographic libraries and utilities.  This error could allow an
    attacker to crash an application making use of OpenSSL's libssl library,
    or potentially execute arbitrary code in the security context of the
    user running such an application.
    
    This update to DSA 1379 announces the availability of the libssl0.9.6
    and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch
    (stable), respectively.
    
    We recommend that you upgrade your openssl097 and openssl096 packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian 3.1 (oldstable)
    - ----------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.dsc
        Size/MD5 checksum:      617 d5c107efd03887064c12ca3f3785eb22
      http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz
        Size/MD5 checksum:  2184918 1b63bfdca1c37837dddde9f1623498f9
      http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.diff.gz
        Size/MD5 checksum:    21639 3a9b336e6f7e1ecdb12b925928bf9061
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_alpha.deb
        Size/MD5 checksum:  1966700 cb66c5de2c58624ce1a066d9f6db108b
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_amd64.deb
        Size/MD5 checksum:   578788 acbc334b7cbf3b154c5bd5516160043d
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_arm.deb
        Size/MD5 checksum:   519050 1f32d009ee447998eb0b7b5d977ec269
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_hppa.deb
        Size/MD5 checksum:   588092 0640e3135183515b1d5739cc35471501
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_i386.deb
        Size/MD5 checksum:  1758424 afcd7f2f3b9ceb67eda7a1b6008af9d1
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_ia64.deb
        Size/MD5 checksum:   815824 e1e0e0e29d2fadaa9126a0f40ef0f7ac
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_mips.deb
        Size/MD5 checksum:   577428 9b2b390a8841638216d14dfb59244486
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_powerpc.deb
        Size/MD5 checksum:   583112 6b926d1b39bc0a83e4f098b873b3f111
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_s390.deb
        Size/MD5 checksum:   603014 698f599a8765889800a62e088674fcf7
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_sparc.deb
        Size/MD5 checksum:  1460366 0e4d599821004ace0bf499fd688a22f1
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.dsc
        Size/MD5 checksum:      769 b7a4e535383394c3be009e3a1df09bdd
      http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
        Size/MD5 checksum:  3292692 be6bba1d67b26eabb48cf1774925416f
      http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.diff.gz
        Size/MD5 checksum:    33285 dc2f489812286cecb705f5b77d523a1e
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_alpha.deb
        Size/MD5 checksum:  3822210 91e845e9663d5e5fd0606254484fce29
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_alpha.deb
        Size/MD5 checksum:  2210464 5d4c3807d8d5d67cf99882f061bca0d8
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_amd64.deb
        Size/MD5 checksum:  1325984 321bfb5960f3d0f8bd80792e7c7c5f05
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_amd64.deb
        Size/MD5 checksum:   755416 e80a880d70bd4f5be5653559e664413a
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_arm.deb
        Size/MD5 checksum:  1229966 70eef9e08baa248416efbd49bc064df9
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_arm.deb
        Size/MD5 checksum:   672290 f30616f8250e48b794e75fbb098b8fe8
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_hppa.deb
        Size/MD5 checksum:  1273442 e8518a1f26ff7ea13b04d16c760de661
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_hppa.deb
        Size/MD5 checksum:   793182 9b009b750c25c3bbfb3138bfb920702d
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_i386.deb
        Size/MD5 checksum:  2284392 cded472858b38935b95aa798e72e0555
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_i386.deb
        Size/MD5 checksum:  4642676 4f181f50322b488f9eed50fc167d0712
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_ia64.deb
        Size/MD5 checksum:  1263422 b710a9e027214c21fd29f58e6cd45bc1
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_ia64.deb
        Size/MD5 checksum:  1009882 18617eeb4e2056de2b0d18fe2045bbce
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mips.deb
        Size/MD5 checksum:  1352460 e31e5b9e481800bfb194c3693e39e876
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mips.deb
        Size/MD5 checksum:   729966 52952a3b76cfdca4ede580eaa1120a48
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mipsel.deb
        Size/MD5 checksum:   718836 9cbc00898d56a3e7db3839b0eb6a087b
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mipsel.deb
        Size/MD5 checksum:  1316952 f19c960283886c8c1b94d1fa2d385ca5
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_powerpc.deb
        Size/MD5 checksum:   743238 792e64a2ada756b4e586eea50e2e3c3c
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_powerpc.deb
        Size/MD5 checksum:  1382044 31704c8cdf8be905ebc35be75f885fc5
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_s390.deb
        Size/MD5 checksum:   794166 d34483e35b01102e03c9d0dedb37f32e
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_s390.deb
        Size/MD5 checksum:  1317042 7e1ab24baa1cf7c686d3b78aea6bb386
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_sparc.deb
        Size/MD5 checksum:  1798892 afc22b79114ee90c8ee388e45115c6c6
      http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_sparc.deb
        Size/MD5 checksum:  3416966 9f1463223729527bd231690d40821e10
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.