Više nedostataka paketa OpenSSL

U radu programskog paketa OpenSSL otkriveno je i otklonjeno više sigurnosnih propusta. Udaljeni napadač ih je mogao iskoristiti za DoS (eng. Denial of Service) napad te otkrivanje osjetljivih informacija.

Paket:	OpenSSL 0.x
Operacijski sustavi:	Mandriva Linux 2010.1, Mandriva Linux 2011, Mandriva Linux Enterprise Server 5.0
Kritičnost:	5
Problem:	pogreška u programskoj funkciji, pogreška u programskoj komponenti
Iskorištavanje:	udaljeno
Posljedica:	otkrivanje osjetljivih informacija, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-0884, CVE-2006-7250, CVE-2012-1165
Izvorni ID preporuke:	MDVSA-2012:038
Izvor:	Mandriva

Problem:
Sigurnosne ranjivosti su posljedica nepravilne "Cryptographic Message Syntax" implementacije te pogreške u funkcijama "mime_hdr_cmp" i "mime_param_cmp".
Posljedica:
Udaljeni napadač propuste može iskoristiti za otkrivanje podataka te napad uskraćivanjem usluga (DoS).
Rješenje:
Svim se korisnicima programskog paketa OpenSSL savjetuje njegova nadogradnja na novije inačice.

Izvorni tekst preporuke

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2012:038
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openssl
 Date    : March 26, 2012
 Affected: 2010.1, 2011., Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in openssl:
 
 The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in
 OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict
 certain oracle behavior, which makes it easier for context-dependent
 attackers to decrypt data via a Million Message Attack (MMA) adaptive
 chosen ciphertext attack (CVE-2012-0884).
 
 The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before
 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial
 of service (NULL pointer dereference and application crash) via a
 crafted S/MIME message, a different vulnerability than CVE-2006-7250
 (CVE-2012-1165).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1165
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.1:
 820b204b86b1f140bf8526725ee29650 
2010.1/i586/libopenssl0.9.8-0.9.8u-0.1mdv2010.2.i586.rpm
 f19cb6b757e2502ba930c139ce6cd3c4 
2010.1/i586/libopenssl1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
 a57c57a8ebfb75f2da2ce416218655a9 
2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.11mdv2010.2.i586.rpm
 d5807ee096478bcca0d08f2145535f78 
2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.i586.rpm
 cacdcfe367accab7ee4ce75eefd1d28d 
2010.1/i586/libopenssl-engines1.0.0-1.0.0a-1.11mdv2010.2.i586.rpm
 8a3b57e03df92a2d421672a6495f34a0 
2010.1/i586/openssl-1.0.0a-1.11mdv2010.2.i586.rpm 
 6be06368a541e654742693c6eb705fb1 
2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
 2619947049700ab84d6cad214a0131f3 
2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 dfb5f411e236cc9b4b3f2e005d5f0e2e 
2010.1/x86_64/lib64openssl0.9.8-0.9.8u-0.1mdv2010.2.x86_64.rpm
 7ee654320d85d3f3aa0bbd94bc42453b 
2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
 1d00d58ab6be34fd3542340300038950 
2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
 6c7ca81d116a60d500ffddc2f3c7fb57 
2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.11mdv2010.2.x86_64.rpm
 bcdac0e2468a6e06f4078f05fdafd392 
2010.1/x86_64/lib64openssl-engines1.0.0-1.0.0a-1.11mdv2010.2.x86_64.rpm
 836de45400c21f24fa5b21b7c706eb98 
2010.1/x86_64/openssl-1.0.0a-1.11mdv2010.2.x86_64.rpm 
 6be06368a541e654742693c6eb705fb1 
2010.1/SRPMS/openssl0.9.8-0.9.8u-0.1mdv2010.2.src.rpm
 2619947049700ab84d6cad214a0131f3 
2010.1/SRPMS/openssl-1.0.0a-1.11mdv2010.2.src.rpm

 Mandriva Linux 2011:
 1960675e9fe0ae8da138ecba0bf9e6b4 
2011/i586/libopenssl1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
 de70876cfc6918c35b89cae61ccb2788 
2011/i586/libopenssl-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
 68696a78df495d3245034e776ececf24 
2011/i586/libopenssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.i586.rpm
 fba71506079447ff67b7e52c15004221 
2011/i586/libopenssl-static-devel-1.0.0d-2.4-mdv2011.0.i586.rpm
 f8992d4ee7b2c0d979a314593c590e8b 
2011/i586/openssl-1.0.0d-2.4-mdv2011.0.i586.rpm 
 34324e854461c4102c4db333d3f575ba  2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

 Mandriva Linux 2011/X86_64:
 89645faf8d71d72afa62c2be5d21a55b 
2011/x86_64/lib64openssl1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 2f3e7dc11f36f7f10bc26669ea0d359a 
2011/x86_64/lib64openssl-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 aecefb41191efa106dc11cfdff6e5dbc 
2011/x86_64/lib64openssl-engines1.0.0-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 ec65b7b472890dd336239605846a3a56 
2011/x86_64/lib64openssl-static-devel-1.0.0d-2.4-mdv2011.0.x86_64.rpm
 db15536fedf4e8e8e00f1877f2939f6d 
2011/x86_64/openssl-1.0.0d-2.4-mdv2011.0.x86_64.rpm 
 34324e854461c4102c4db333d3f575ba  2011/SRPMS/openssl-1.0.0d-2.4.src.rpm

 Mandriva Enterprise Server 5:
 4bd8479bc2fad30096d37d498240c507 
mes5/i586/libopenssl0.9.8-0.9.8h-3.14mdvmes5.2.i586.rpm
 33cf65c119e4d84738619a84e598aba2 
mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
 ca767a0cbeb99230946ebb35191b9df2 
mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.i586.rpm
 9f3bba03e5aff24ecd26bae11c99af91 
mes5/i586/openssl-0.9.8h-3.14mdvmes5.2.i586.rpm 
 65c9f262dd6b4d66069649ea1e596b4b 
mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 e0b68754036f1114ed20cf8199d7625d 
mes5/x86_64/lib64openssl0.9.8-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 ba2d5446973c7aecbe93ac7455cb7a7b 
mes5/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 a16b1e15a2164eadf4d052f7f29080fd 
mes5/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.14mdvmes5.2.x86_64.rpm
 71e785c5e2bda4cfc189ae8adff9cd54 
mes5/x86_64/openssl-0.9.8h-3.14mdvmes5.2.x86_64.rpm 
 65c9f262dd6b4d66069649ea1e596b4b 
mes5/SRPMS/openssl-0.9.8h-3.14mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPcG6AmqjQ0CJFipgRAgdKAKCe5y81j9lidhC+Mjg3Q1XMcAyosQCfe2zE
JfKo2hU2JCc2U3RLbBgqRek=
=vipz
-----END PGP SIGNATURE-----

Više nedostataka paketa OpenSSL

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Više nedostataka paketa OpenSSL

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti