Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200610-11 ] OpenSSL: Multiple vulnerabilities
Date: Tue, 24 Oct 2006 17:04:20
Message-Id: 20061024163122.GM25143@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200610-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: OpenSSL: Multiple vulnerabilities
9 Date: October 24, 2006
10 Bugs: #145510
11 ID: 200610-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 OpenSSL contains multiple vulnerabilities including the possible remote
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 OpenSSL is a toolkit implementing the Secure Sockets Layer, Transport
25 Layer Security protocols and a general-purpose cryptography library.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-libs/openssl < 0.9.8d >= 0.9.8d
34 *>= 0.9.7l
35
36 Description
37 ===========
38
39 Tavis Ormandy and Will Drewry, both of the Google Security Team,
40 discovered that the SSL_get_shared_ciphers() function contains a buffer
41 overflow vulnerability, and that the SSLv2 client code contains a flaw
42 leading to a crash. Additionally Dr. Stephen N. Henson found that the
43 ASN.1 handler contains two Denial of Service vulnerabilities: while
44 parsing an invalid ASN.1 structure and while handling certain types of
45 public key.
46
47 Impact
48 ======
49
50 An attacker could trigger the buffer overflow vulnerability by sending
51 a malicious suite of ciphers to an application using the vulnerable
52 function, and thus execute arbitrary code with the rights of the user
53 running the application. An attacker could also consume CPU and/or
54 memory by exploiting the Denial of Service vulnerabilities. Finally a
55 malicious server could crash a SSLv2 client through the SSLv2
56 vulnerability.
57
58 Workaround
59 ==========
60
61 There is no known workaround at this time.
62
63 Resolution
64 ==========
65
66 All OpenSSL 0.9.8 users should upgrade to the latest version:
67
68 # emerge --sync
69 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8d"
70
71 All OpenSSL 0.9.7 users should upgrade to the latest version:
72
73 # emerge --sync
74 # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.7l"
75
76 References
77 ==========
78
79 [ 1 ] CVE-2006-2937
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
81 [ 2 ] CVE-2006-2940
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940
83 [ 3 ] CVE-2006-3738
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
85 [ 4 ] CVE-2006-4343
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343
87
88 Availability
89 ============
90
91 This GLSA and any updates to it are available for viewing at
92 the Gentoo Security Website:
93
94 http://security.gentoo.org/glsa/glsa-200610-11.xml
95
96 Concerns?
97 =========
98
99 Security is a primary focus of Gentoo Linux and ensuring the
100 confidentiality and security of our users machines is of utmost
101 importance to us. Any security concerns should be addressed to
102 security@g.o or alternatively, you may file a bug at
103 http://bugs.gentoo.org.
104
105 License
106 =======
107
108 Copyright 2006 Gentoo Foundation, Inc; referenced text
109 belongs to its owner(s).
110
111 The contents of this document are licensed under the
112 Creative Commons - Attribution / Share Alike license.
113
114 http://creativecommons.org/licenses/by-sa/2.5