[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200912-01.xml - gentoo-commits

From:	"Alex Legler (a3li)" <a3li@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200912-01.xml
Date:	Tue, 01 Dec 2009 21:31:29
Message-Id:	`E1NFaJh-0002Pj-Fh@stork.gentoo.org`

1

a3li        09/12/01 21:31:25

2

3

  Added:                glsa-200912-01.xml

4

  Log:

5

  GLSA 200912-01

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200912-01.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200912-01.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200912-01.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200912-01.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200912-01">

21

  <title>OpenSSL: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct

24

    multiple attacks, including the injection of arbitrary data into encrypted

25

    byte streams.

26

  </synopsis>

27

  <product type="ebuild">openssl</product>

28

  <announced>December 01, 2009</announced>

29

  <revised>December 01, 2009: 01</revised>

30

  <bug>270305</bug>

31

  <bug>280591</bug>

32

  <bug>292022</bug>

33

  <access>remote</access>

34

  <affected>

35

    <package name="dev-libs/openssl" auto="yes" arch="*">

36

      <unaffected range="ge">0.9.8l-r2</unaffected>

37

      <vulnerable range="lt">0.9.8l-r2</vulnerable>

38

    </package>

39

  </affected>

40

  <background>

41

<p>

42

    OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer

43

    (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general

44

    purpose cryptography library.

45

    </p>

46

  </background>

47

  <description>

48

<p>

49

    Multiple vulnerabilities have been reported in OpenSSL:

50

    </p>

51

    <ul>

52

    <li>Marsh Ray of PhoneFactor and Martin Rex of SAP independently

53

    reported that the TLS protocol does not properly handle session

54

    renegotiation requests (CVE-2009-3555).</li>

55

    <li>The MD2 hash algorithm

56

    is no longer considered to be cryptographically strong, as demonstrated

57

    by Dan Kaminsky. Certificates using this algorithm are no longer

58

    accepted (CVE-2009-2409).</li>

59

    <li>Daniel Mentz and Robin Seggelmann

60

    reported the following vulnerabilities related to DTLS: A

61

    use-after-free flaw (CVE-2009-1379) and a NULL pointer dereference

62

    (CVE-2009-1387) in the dtls1_retrieve_buffered_fragment() function in

63

    src/d1_both.c, multiple memory leaks in the

64

    dtls1_process_out_of_seq_message() function in src/d1_both.c

65

    (CVE-2009-1378), and a processing error related to a large amount of

66

    DTLS records with a future epoch in the dtls1_buffer_record() function

67

    in ssl/d1_pkt.c (CVE-2009-1377).</li>

68

    </ul>

69

  </description>

70

  <impact type="normal">

71

<p>

72

    A remote unauthenticated attacker, acting as a Man in the Middle, could

73

    inject arbitrary plain text into a TLS session, possibly leading to the

74

    ability to send requests as if authenticated as the victim. A remote

75

    attacker could furthermore send specially crafted DTLS packages to a

76

    service using OpenSSL for DTLS support, possibly resulting in a Denial

77

    of Service. Also, a remote attacker might be able to create rouge

78

    certificates, facilitated by a MD2 collision. NOTE: The amount of

79

    computation needed for this attack is still very large.

80

    </p>

81

  </impact>

82

  <workaround>

83

<p>

84

    There is no known workaround at this time.

85

    </p>

86

  </workaround>

87

  <resolution>

88

<p>

89

    All OpenSSL users should upgrade to the latest version:

90

    </p>

91

    <code>

92

    # emerge --sync

93

    # emerge --ask --oneshot --verbose &quot;&gt;=dev-libs/openssl-0.9.8l-r2&quot;</code>

94

  </resolution>

95

  <references>

96

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377">CVE-2009-1377</uri>

97

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378">CVE-2009-1378</uri>

98

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379">CVE-2009-1379</uri>

99

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387">CVE-2009-1387</uri>

100

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409">CVE-2009-2409</uri>

101

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">CVE-2009-3555</uri>

102

  </references>

103

  <metadata tag="requester" timestamp="Mon, 23 Nov 2009 21:29:47 +0000">

104

    a3li

105

  </metadata>

106

  <metadata tag="submitter" timestamp="Mon, 30 Nov 2009 13:42:39 +0000">

107

    a3li

108

  </metadata>

109

  <metadata tag="bugReady" timestamp="Tue, 01 Dec 2009 21:28:40 +0000">

110

    a3li

111

  </metadata>

112

</glsa>

1	a3li 09/12/01 21:31:25
2
3	Added: glsa-200912-01.xml
4	Log:
5	GLSA 200912-01
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200912-01.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200912-01.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200912-01.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200912-01.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200912-01">
21	<title>OpenSSL: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct
24	multiple attacks, including the injection of arbitrary data into encrypted
25	byte streams.
26	</synopsis>
27	<product type="ebuild">openssl</product>
28	<announced>December 01, 2009</announced>
29	<revised>December 01, 2009: 01</revised>
30	<bug>270305</bug>
31	<bug>280591</bug>
32	<bug>292022</bug>
33	<access>remote</access>
34	<affected>
35	<package name="dev-libs/openssl" auto="yes" arch="*">
36	<unaffected range="ge">0.9.8l-r2</unaffected>
37	<vulnerable range="lt">0.9.8l-r2</vulnerable>
38	</package>
39	</affected>
40	<background>
41	<p>
42	OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
43	(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
44	purpose cryptography library.
45	</p>
46	</background>
47	<description>
48	<p>
49	Multiple vulnerabilities have been reported in OpenSSL:
50	</p>
51	<ul>
52	<li>Marsh Ray of PhoneFactor and Martin Rex of SAP independently
53	reported that the TLS protocol does not properly handle session
54	renegotiation requests (CVE-2009-3555).</li>
55	<li>The MD2 hash algorithm
56	is no longer considered to be cryptographically strong, as demonstrated
57	by Dan Kaminsky. Certificates using this algorithm are no longer
58	accepted (CVE-2009-2409).</li>
59	<li>Daniel Mentz and Robin Seggelmann
60	reported the following vulnerabilities related to DTLS: A
61	use-after-free flaw (CVE-2009-1379) and a NULL pointer dereference
62	(CVE-2009-1387) in the dtls1_retrieve_buffered_fragment() function in
63	src/d1_both.c, multiple memory leaks in the
64	dtls1_process_out_of_seq_message() function in src/d1_both.c
65	(CVE-2009-1378), and a processing error related to a large amount of
66	DTLS records with a future epoch in the dtls1_buffer_record() function
67	in ssl/d1_pkt.c (CVE-2009-1377).</li>
68	</ul>
69	</description>
70	<impact type="normal">
71	<p>
72	A remote unauthenticated attacker, acting as a Man in the Middle, could
73	inject arbitrary plain text into a TLS session, possibly leading to the
74	ability to send requests as if authenticated as the victim. A remote
75	attacker could furthermore send specially crafted DTLS packages to a
76	service using OpenSSL for DTLS support, possibly resulting in a Denial
77	of Service. Also, a remote attacker might be able to create rouge
78	certificates, facilitated by a MD2 collision. NOTE: The amount of
79	computation needed for this attack is still very large.
80	</p>
81	</impact>
82	<workaround>
83	<p>
84	There is no known workaround at this time.
85	</p>
86	</workaround>
87	<resolution>
88	<p>
89	All OpenSSL users should upgrade to the latest version:
90	</p>
91	<code>
92	# emerge --sync
93	# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8l-r2"</code>
94	</resolution>
95	<references>
96	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1377">CVE-2009-1377</uri>
97	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378">CVE-2009-1378</uri>
98	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379">CVE-2009-1379</uri>
99	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387">CVE-2009-1387</uri>
100	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409">CVE-2009-2409</uri>
101	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555">CVE-2009-3555</uri>
102	</references>
103	<metadata tag="requester" timestamp="Mon, 23 Nov 2009 21:29:47 +0000">
104	a3li
105	</metadata>
106	<metadata tag="submitter" timestamp="Mon, 30 Nov 2009 13:42:39 +0000">
107	a3li
108	</metadata>
109	<metadata tag="bugReady" timestamp="Tue, 01 Dec 2009 21:28:40 +0000">
110	a3li
111	</metadata>
112	</glsa>

Gentoo Archives: gentoo-commits