MDKSA-2004:147 - Updated openssl packages fix temporary file vulnerability

From: Mandrake Linux Security Team (security_at_linux-mandrake.com)
Date: 12/07/04

  • Next message: Luke Macken: "[ GLSA 200412-04 ] Perl: Insecure temporary file creation"
    Date: 7 Dec 2004 02:49:51 -0000
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: openssl
     Advisory ID: MDKSA-2004:147
     Date: December 6th, 2004

     Affected versions: 10.0, 10.1, 9.2, Corporate Server 2.1,
                             Multi Network Firewall 8.2
     ______________________________________________________________________

     Problem Description:

     The Trustix developers found that the der_chop script, included in the
     openssl package, created temporary files insecurely. This could allow
     local users to overwrite files using a symlink attack.
     
     The updated packages have been patched to prevent this problem.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     c0d41b5423a09f01decc40e84fd005cb 10.0/RPMS/libopenssl0.9.7-0.9.7c-3.1.100mdk.i586.rpm
     82b573c6825f9a3abdd8a23da2fe7c2c 10.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.1.100mdk.i586.rpm
     7c4e0ddd161ae064928c3f3563a2dc4e 10.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.1.100mdk.i586.rpm
     d4d97f7b45004bd8d69ef90bce972442 10.0/RPMS/openssl-0.9.7c-3.1.100mdk.i586.rpm
     f09ed46ce152ac3396ce5a4a4b2036d0 10.0/SRPMS/openssl-0.9.7c-3.1.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     d9d9037cf0170a9e6ef1702f3e786b8a amd64/10.0/RPMS/lib64openssl0.9.7-0.9.7c-3.1.100mdk.amd64.rpm
     cfa623fa40be35d5cc99053bafd625c1 amd64/10.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.1.100mdk.amd64.rpm
     0098601eae49e65ee1fae0283bc4ffff amd64/10.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.1.100mdk.amd64.rpm
     06d845c07b46356cef699f94a67b9bc0 amd64/10.0/RPMS/openssl-0.9.7c-3.1.100mdk.amd64.rpm
     f09ed46ce152ac3396ce5a4a4b2036d0 amd64/10.0/SRPMS/openssl-0.9.7c-3.1.100mdk.src.rpm

     Mandrakelinux 10.1:
     ae229d9586ea295545e577960ecfc9d5 10.1/RPMS/libopenssl0.9.7-0.9.7d-1.1.101mdk.i586.rpm
     66d4393ab8ad6c72242fe03676d452bb 10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.1.101mdk.i586.rpm
     003f9c7ba693314fe0cfd5c91f0d154b 10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.1.101mdk.i586.rpm
     00e24e1fa79a339a5e1a92d9c2996082 10.1/RPMS/openssl-0.9.7d-1.1.101mdk.i586.rpm
     5c453b0349f604e2955a889f624982d6 10.1/SRPMS/openssl-0.9.7d-1.1.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     45a998be7caf5d54a7a8a106e2e6cf9a x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.1.101mdk.x86_64.rpm
     000606c0fde3660e4c623f1ddb319e47 x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.1.101mdk.x86_64.rpm
     f75779760ee204bbfaab4173575964cd x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.1.101mdk.x86_64.rpm
     81457d174401f6033cb03a9404145278 x86_64/10.1/RPMS/openssl-0.9.7d-1.1.101mdk.x86_64.rpm
     5c453b0349f604e2955a889f624982d6 x86_64/10.1/SRPMS/openssl-0.9.7d-1.1.101mdk.src.rpm

     Corporate Server 2.1:
     63355bf82d2b54f08a970383c9c5192c corporate/2.1/RPMS/libopenssl0-0.9.6i-1.8.C21mdk.i586.rpm
     9d557d9105a7a2d1b1026543d6fedf2c corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.8.C21mdk.i586.rpm
     0929ca75a91cd5c4f553329aa7e818a8 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.8.C21mdk.i586.rpm
     2cd8e70cc5c66c4797392e4ea3a0348f corporate/2.1/RPMS/openssl-0.9.6i-1.8.C21mdk.i586.rpm
     337b3ad1c49fc5e91f2d72ea6a493868 corporate/2.1/SRPMS/openssl-0.9.6i-1.8.C21mdk.src.rpm

     Corporate Server 2.1/x86_64:
     1fb93ddabdccd9edd724e7d6818e7299 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.8.C21mdk.x86_64.rpm
     acfe2f603298bae71c4f35a928d9ba88 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.8.C21mdk.x86_64.rpm
     daf31defd9c4b27bf28581bd7ed7fd2c x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.8.C21mdk.x86_64.rpm
     cade4a4db47d263c6660591d1bf9d5a1 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.8.C21mdk.x86_64.rpm
     337b3ad1c49fc5e91f2d72ea6a493868 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.8.C21mdk.src.rpm

     Mandrakelinux 9.2:
     f014f2318e559b7cfc5fc5bd2a010b67 9.2/RPMS/libopenssl0.9.7-0.9.7b-5.1.92mdk.i586.rpm
     db4c7a4d97015c04a03ed69fa8d9c941 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-5.1.92mdk.i586.rpm
     1368b0bf03dcebb17b6f1d5359411d8b 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-5.1.92mdk.i586.rpm
     369d6104e62dc23e23c2d9f05e0d03db 9.2/RPMS/openssl-0.9.7b-5.1.92mdk.i586.rpm
     9389817df3eb169e26536635c129e853 9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm

     Mandrakelinux 9.2/AMD64:
     a0f963c1ab90037dcdf57dba1337e48d amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-5.1.92mdk.amd64.rpm
     587ef4344175ab4532e0e569ea733df3 amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-5.1.92mdk.amd64.rpm
     4638c1af2de29459e2c1fae27fd28659 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-5.1.92mdk.amd64.rpm
     18d875fb53f6b5c0adfc22fed5193645 amd64/9.2/RPMS/openssl-0.9.7b-5.1.92mdk.amd64.rpm
     9389817df3eb169e26536635c129e853 amd64/9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm

     Multi Network Firewall 8.2:
     eeaeae17ef647b22de71170105190f87 mnf8.2/RPMS/libopenssl0-0.9.6i-1.7.M82mdk.i586.rpm
     b3ffacae8b78391fcc30267a3f252223 mnf8.2/RPMS/openssl-0.9.6i-1.7.M82mdk.i586.rpm
     aa558b895ae77092ae29dec127a5a2a0 mnf8.2/SRPMS/openssl-0.9.6i-1.7.M82mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQFBtRpPmqjQ0CJFipgRAnLGAJ40aJv0gDgCf/7QiE5gDyAYQKJb3QCgoNqJ
    MnN19RFVMvpGf4RIRSM1/f4=
    =ZLB+
    -----END PGP SIGNATURE-----


  • Next message: Luke Macken: "[ GLSA 200412-04 ] Perl: Insecure temporary file creation"

    Relevant Pages