Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201203-12 ] OpenSSL: Multiple vulnerabilities
Date: Tue, 06 Mar 2012 04:21:46
Message-Id: 4F55731B.1070107@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201203-12
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: OpenSSL: Multiple vulnerabilities
9 Date: March 06, 2012
10 Bugs: #397695, #399365
11 ID: 201203-12
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in OpenSSL, allowing remote
19 attackers to cause a Denial of Service or obtain sensitive information.
20
21 Background
22 ==========
23
24 OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
25 (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
26 purpose cryptography library.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-libs/openssl < 1.0.0g *>= 0.9.8t
35 >= 1.0.0g
36
37 Description
38 ===========
39
40 Multiple vulnerabilities have been found in OpenSSL:
41
42 * Timing differences for decryption are exposed by CBC mode encryption
43 in OpenSSL's implementation of DTLS (CVE-2011-4108).
44 * A policy check failure can result in a double-free error when
45 X509_V_FLAG_POLICY_CHECK is set (CVE-2011-4109).
46 * Clients and servers using SSL 3.0 handshakes do not clear the block
47 cipher padding, allowing a record to contain up to 15 bytes of
48 uninitialized memory, which could include sensitive information
49 (CVE-2011-4576).
50 * Assertion errors can occur during the handling of malformed X.509
51 certificates when OpenSSL is built with RFC 3779 support
52 (CVE-2011-4577).
53 * A resource management error can occur when OpenSSL's server gated
54 cryptography (SGC) does not properly handle handshake restarts
55 (CVE-2011-4619).
56 * Invalid parameters in the GOST block cipher are not properly handled
57 by the GOST ENGINE(CVE-2012-0027).
58 * An incorrect fix for CVE-2011-4108 creates an unspecified
59 vulnerability for DTLS applications using OpenSSL (CVE-2012-0050).
60
61 Impact
62 ======
63
64 A remote attacker may be able to cause a Denial of Service or obtain
65 sensitive information, including plaintext passwords.
66
67 Workaround
68 ==========
69
70 There is no known workaround at this time.
71
72 Resolution
73 ==========
74
75 All OpenSSL users should upgrade to the latest version:
76
77 # emerge --sync
78 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.0g"
79
80 References
81 ==========
82
83 [ 1 ] CVE-2011-4108
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4108
85 [ 2 ] CVE-2011-4109
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4109
87 [ 3 ] CVE-2011-4576
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4576
89 [ 4 ] CVE-2011-4577
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4577
91 [ 5 ] CVE-2011-4619
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4619
93 [ 6 ] CVE-2012-0027
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0027
95 [ 7 ] CVE-2012-0050
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0050
97
98 Availability
99 ============
100
101 This GLSA and any updates to it are available for viewing at
102 the Gentoo Security Website:
103
104 http://security.gentoo.org/glsa/glsa-201203-12.xml
105
106 Concerns?
107 =========
108
109 Security is a primary focus of Gentoo Linux and ensuring the
110 confidentiality and security of our users' machines is of utmost
111 importance to us. Any security concerns should be addressed to
112 security@g.o or alternatively, you may file a bug at
113 https://bugs.gentoo.org.
114
115 License
116 =======
117
118 Copyright 2012 Gentoo Foundation, Inc; referenced text
119 belongs to its owner(s).
120
121 The contents of this document are licensed under the
122 Creative Commons - Attribution / Share Alike license.
123
124 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature