LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: July 25th, 2014
Linux Advisory Watch: July 18th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2009:001 ] openssl Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake A vulnerability was found by the Google Security Team with how OpenSSL checked the verification of certificates. An attacker in control of a malicious server or able to effect a man-in-the-middle attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client, which would then bypass the certificate validation (CVE-2008-5077). The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:001
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : January 8, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability was found by the Google Security Team with how OpenSSL
 checked the verification of certificates.  An attacker in control of a
 malicious server or able to effect a man-in-the-middle attack, could
 present a malformed SSL/TLS signature from a certificate chain to a
 vulnerable client, which would then bypass the certificate validation
 (CVE-2008-5077).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 6585e08eab279e6a249630385683bf43  2008.0/i586/libopenssl0.9.8-0.9.8e-8.2mdv2008.0.i586.rpm
 b5955c2c0a2cc24abd9f5f3ebc7d0148  2008.0/i586/libopenssl0.9.8-devel-0.9.8e-8.2mdv2008.0.i586.rpm
 7c92323d7aa583b936ef908f3f6ac867  2008.0/i586/libopenssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.i586.rpm
 2b791168311c3ecba4f8b7acd24e64ab  2008.0/i586/openssl-0.9.8e-8.2mdv2008.0.i586.rpm 
 cf51c48e4c05ac5357f6076fbaeff0a5  2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 6259ac00622227eee59f888bc516bc3a  2008.0/x86_64/lib64openssl0.9.8-0.9.8e-8.2mdv2008.0.x86_64.rpm
 fe745327c1bbb599e025a5b90bb05817  2008.0/x86_64/lib64openssl0.9.8-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm
 bdb7113b06aab0c4d77cbf86bcf208c2  2008.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm
 d4fda198a80b88c7caaf947af0866df8  2008.0/x86_64/openssl-0.9.8e-8.2mdv2008.0.x86_64.rpm 
 cf51c48e4c05ac5357f6076fbaeff0a5  2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 4a0be98cd3fb82a22e3836c5ae81ed37  2008.1/i586/libopenssl0.9.8-0.9.8g-4.2mdv2008.1.i586.rpm
 277058ecc1d26d24bf4da5ea27d4a31f  2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.2mdv2008.1.i586.rpm
 29b08a5a233f1987c4ca98aaa4e97ac5  2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.i586.rpm
 e47be879abc0c089a8f380469a6a62c8  2008.1/i586/openssl-0.9.8g-4.2mdv2008.1.i586.rpm 
 7395d0e10c1938be16261baba05da55c  2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 71a69804b928a9f7856f65fee332c5ab  2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.2mdv2008.1.x86_64.rpm
 e9c5d1d4895a5a679945bde62df6f988  2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm
 7f2d66839f93e2083dcd1b1f27ca4ddf  2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm
 40408ffdf13faa6c79b28c764bb88b22  2008.1/x86_64/openssl-0.9.8g-4.2mdv2008.1.x86_64.rpm 
 7395d0e10c1938be16261baba05da55c  2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 2512f6a41e9a8e7bcff53e5737029689  2009.0/i586/libopenssl0.9.8-0.9.8h-3.1mdv2009.0.i586.rpm
 d7774faaed2866da5bb05cbcf07604da  2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.1mdv2009.0.i586.rpm
 ed99160bdf1ce33fa81dc47c71915318  2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.i586.rpm
 6116fafed014596ee1e6ec43db93133f  2009.0/i586/openssl-0.9.8h-3.1mdv2009.0.i586.rpm 
 8ad6b0d8aff3bb992d716668450aef3a  2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 d2cc04fc0bdaeea8e4cc5d7ab4e997fd  2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.1mdv2009.0.x86_64.rpm
 b537da3113c75f87c4fa8d66be2d6797  2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm
 ef9add2bec302b324b9c0690cf79b57c  2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm
 16b8c11f4d6dedf2e4176bfc55607c15  2009.0/x86_64/openssl-0.9.8h-3.1mdv2009.0.x86_64.rpm 
 8ad6b0d8aff3bb992d716668450aef3a  2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm

 Corporate 3.0:
 5e8f4b7c1e646d0e16af2d83238a011b  corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm
 5115d911b9a6842fd0c3495429c7c2f2  corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.9.C30mdk.i586.rpm
 b934b4f9686deef6cb1eba750ab36288  corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.i586.rpm
 11ec8a4df261d4d4fa9957d33be08604  corporate/3.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm 
 dcd1a4feb1a04302c54465dce7c7c506  corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 64521521330df90b42c9c37cafe50b54  corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.9.C30mdk.x86_64.rpm
 3a85c30c0511e42ec76c80e08efe5192  corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.9.C30mdk.x86_64.rpm
 12af66f30c5022d8d29b57a9131458c3  corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.x86_64.rpm
 62f5c54be99ddc9458670ae04b24d3f0  corporate/3.0/x86_64/openssl-0.9.7c-3.9.C30mdk.x86_64.rpm 
 dcd1a4feb1a04302c54465dce7c7c506  corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm

 Corporate 4.0:
 60c64d9ead2b01fb39058a705fcb95dc  corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.7.20060mlcs4.i586.rpm
 fb4d5555c211b375707bf7d194e74776  corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.i586.rpm
 c13ff967b4310e5a790e85595f940b7e  corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.i586.rpm
 e9a96a389c00ee674d689e3747c3e501  corporate/4.0/i586/openssl-0.9.7g-2.7.20060mlcs4.i586.rpm 
 4df38ebd98b467bdee0d4a24d3b0158f  corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 de71d0bbc98589afdf03b7a99aad7103  corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.7.20060mlcs4.x86_64.rpm
 0c330148b55987e50f491c7e4d3b65a5  corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm
 ce64720b2685fada3e88a5725c43b532  corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm
 29f0f40602184d7f366e1d1d8e5c03e4  corporate/4.0/x86_64/openssl-0.9.7g-2.7.20060mlcs4.x86_64.rpm 
 4df38ebd98b467bdee0d4a24d3b0158f  corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 74a4beac1c01f9fd888dd5eea356f7be  mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm
 c809a08f26051c7a3931ccda00c94429  mnf/2.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm 
 8ae9f7004b77dca2317980ba4215dc92  mnf/2.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Four fake Google haxbots hit YOUR WEBSITE every day
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil'
What I Learned from Edward Snowden at the Hacker Conference
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.