Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200710-06 ] OpenSSL: Multiple vulnerabilities
Date: Sun, 07 Oct 2007 21:54:43
Message-Id: 47095066.1060804@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200710-06
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: OpenSSL: Multiple vulnerabilities
12 Date: October 07, 2007
13 Bugs: #188799, #194039
14 ID: 200710-06
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A buffer underflow vulnerability and an information disclosure
22 vulnerability have been discovered in OpenSSL.
23
24 Background
25 ==========
26
27 OpenSSL is an implementation of the Secure Socket Layer and Transport
28 Layer Security protocols.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 dev-libs/openssl < 0.9.8e-r3 >= 0.9.8e-r3
37
38 Description
39 ===========
40
41 Moritz Jodeit reported an off-by-one error in the
42 SSL_get_shared_ciphers() function, resulting from an incomplete fix of
43 CVE-2006-3738. A flaw has also been reported in the
44 BN_from_montgomery() function in crypto/bn/bn_mont.c when performing
45 Montgomery multiplication.
46
47 Impact
48 ======
49
50 A remote attacker sending a specially crafted packet to an application
51 relying on OpenSSL could possibly execute arbitrary code with the
52 privileges of the user running the application. A local attacker could
53 perform a side channel attack to retrieve the RSA private keys.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All OpenSSL users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8e-r3"
67
68 References
69 ==========
70
71 [ 1 ] CVE-2006-3738
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
73 [ 2 ] CVE-2007-3108
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
75 [ 3 ] CVE-2007-5135
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135
77
78 Availability
79 ============
80
81 This GLSA and any updates to it are available for viewing at
82 the Gentoo Security Website:
83
84 http://security.gentoo.org/glsa/glsa-200710-06.xml
85
86 Concerns?
87 =========
88
89 Security is a primary focus of Gentoo Linux and ensuring the
90 confidentiality and security of our users machines is of utmost
91 importance to us. Any security concerns should be addressed to
92 security@g.o or alternatively, you may file a bug at
93 http://bugs.gentoo.org.
94
95 License
96 =======
97
98 Copyright 2007 Gentoo Foundation, Inc; referenced text
99 belongs to its owner(s).
100
101 The contents of this document are licensed under the
102 Creative Commons - Attribution / Share Alike license.
103
104 http://creativecommons.org/licenses/by-sa/2.5
105 -----BEGIN PGP SIGNATURE-----
106 Version: GnuPG v1.4.7 (GNU/Linux)
107 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
108
109 iD8DBQFHCVBmuhJ+ozIKI5gRAv3NAKCdKfDMXmkNVek/nWT35KbBt4IjggCfRqe7
110 jH09QwZEvD8+yZD02L7xMjQ=
111 =jbkz
112 -----END PGP SIGNATURE-----
113 --
114 gentoo-announce@g.o mailing list