[ MDVSA-2012:038 ] openssl



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:038
http://www.mandriva.com/security/
_______________________________________________________________________

Package : openssl
Date : March 26, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in openssl:

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
certain oracle behavior, which makes it easier for context-dependent
attackers to decrypt data via a Million Message Attack (MMA) adaptive
chosen ciphertext attack (CVE-2012-0884).

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted S/MIME message, a different vulnerability than CVE-2006-7250
(CVE-2012-1165).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.1:
820b204b86b1f140bf8526725ee29650 2010.1/i586/libopenssl0.9.8-0.9.8u-0.1mdv2010.2.i586.rpm
f19cb6b757e2502ba930c139ce6cd3c4 2010.1/i586/libopenssl1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
a57c57a8ebfb75f2da2ce416218655a9 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.11mdv2010.2.i586.rpm
d5807ee096478bcca0d08f2145535f78 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.i586.rpm
cacdcfe367accab7ee4ce75eefd1d28d 2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
8a3b57e03df92a2d421672a6495f34a0 2010.1/i586/openssl-1.0.0a-1.11mdv2010.2.i586.rpm
6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

Mandriva Linux 2010.1/X86_64:
dfb5f411e236cc9b4b3f2e005d5f0e2e 2010.1/x86_64/lib64openssl0.9.8-0.9.8u-0.1mdv2010.2.x86_64.rpm
7ee654320d85d3f3aa0bbd94bc42453b 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
1d00d58ab6be34fd3542340300038950 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
6c7ca81d116a60d500ffddc2f3c7fb57 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
bcdac0e2468a6e06f4078f05fdafd392 2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
836de45400c21f24fa5b21b7c706eb98 2010.1/x86_64/openssl-1.0.0a-1.11mdv2010.2.x86_64.rpm
6be06368a541e654742693c6eb705fb1 2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
2619947049700ab84d6cad214a0131f3 2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

Mandriva Linux 2011:
1960675e9fe0ae8da138ecba0bf9e6b4 2011/i586/libopenssl1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
de70876cfc6918c35b89cae61ccb2788 2011/i586/libopenssl-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
68696a78df495d3245034e776ececf24 2011/i586/libopenssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
fba71506079447ff67b7e52c15004221 2011/i586/libopenssl-static-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
f8992d4ee7b2c0d979a314593c590e8b 2011/i586/openssl-1.0.0d-2.4-mdv2011.0.i586.rpm
34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

Mandriva Linux 2011/X86_64:
89645faf8d71d72afa62c2be5d21a55b 2011/x86_64/lib64openssl1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
2f3e7dc11f36f7f10bc26669ea0d359a 2011/x86_64/lib64openssl-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
aecefb41191efa106dc11cfdff6e5dbc 2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
ec65b7b472890dd336239605846a3a56 2011/x86_64/lib64openssl-static-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
db15536fedf4e8e8e00f1877f2939f6d 2011/x86_64/openssl-1.0.0d-2.4-mdv2011.0.x86_64.rpm
34324e854461c4102c4db333d3f575ba 2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

Mandriva Enterprise Server 5:
4bd8479bc2fad30096d37d498240c507 mes5/i586/libopenssl0.9.8-0.9.8h-3.14mdvmes5.2.i586.rpm
33cf65c119e4d84738619a84e598aba2 mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
ca767a0cbeb99230946ebb35191b9df2 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
9f3bba03e5aff24ecd26bae11c99af91 mes5/i586/openssl-0.9.8h-3.14mdvmes5.2.i586.rpm
65c9f262dd6b4d66069649ea1e596b4b mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
e0b68754036f1114ed20cf8199d7625d mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.14mdvmes5.2.x86_64.rpm
ba2d5446973c7aecbe93ac7455cb7a7b mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
a16b1e15a2164eadf4d052f7f29080fd mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
71e785c5e2bda4cfc189ae8adff9cd54 mes5/x86_64/openssl-0.9.8h-3.14mdvmes5.2.x86_64.rpm
65c9f262dd6b4d66069649ea1e596b4b mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPcG6AmqjQ0CJFipgRAgdKAKCe5y81j9lidhC+Mjg3Q1XMcAyosQCfe2zE
JfKo2hU2JCc2U3RLbBgqRek=
=vipz
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-disclosure] [ MDVSA-2013:042 ] krb5
    ... Multiple vulnerabilities has been discovered and corrected in krb5: ... An attacker could use this vulnerability to execute ... The updated packages have been patched to correct these issues. ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [ MDVSA-2013:042 ] krb5
    ... Multiple vulnerabilities has been discovered and corrected in krb5: ... An attacker could use this vulnerability to execute ... The updated packages have been patched to correct these issues. ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2013:115 ] php-ZendFramework
    ... Updated php-ZendFramework packages fix security vulnerabilities: ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [Full-disclosure] [ MDVSA-2011:089 ] mplayer
    ... Multiple vulnerabilities have been identified and fixed in mplayer: ... FFmpeg 0.5 allows remote attackers to cause a denial of service ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2010.1/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2011:089 ] mplayer
    ... Multiple vulnerabilities have been identified and fixed in mplayer: ... FFmpeg 0.5 allows remote attackers to cause a denial of service ... The updated packages have been patched to correct these issues. ... Mandriva Linux 2010.1/X86_64: ...
    (Bugtraq)