-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1379-2 security@debian.org http://www.debian.org/security/ Noah Meyerhans October 10, 2007 - ------------------------------------------------------------------------ Package : openssl097, openssl096 Vulnerability : off-by-one error/buffer overflow Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-5135 Debian Bug : 444435 An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. This update to DSA 1379 announces the availability of the libssl0.9.6 and libssl0.9.7 compatibility libraries for sarge (oldstable) and etch (stable), respectively. We recommend that you upgrade your openssl097 and openssl096 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - ---------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.dsc Size/MD5 checksum: 617 d5c107efd03887064c12ca3f3785eb22 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m.orig.tar.gz Size/MD5 checksum: 2184918 1b63bfdca1c37837dddde9f1623498f9 http://security.debian.org/pool/updates/main/o/openssl096/openssl096_0.9.6m-1sarge5.diff.gz Size/MD5 checksum: 21639 3a9b336e6f7e1ecdb12b925928bf9061 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_alpha.deb Size/MD5 checksum: 1966700 cb66c5de2c58624ce1a066d9f6db108b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_amd64.deb Size/MD5 checksum: 578788 acbc334b7cbf3b154c5bd5516160043d arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_arm.deb Size/MD5 checksum: 519050 1f32d009ee447998eb0b7b5d977ec269 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_hppa.deb Size/MD5 checksum: 588092 0640e3135183515b1d5739cc35471501 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_i386.deb Size/MD5 checksum: 1758424 afcd7f2f3b9ceb67eda7a1b6008af9d1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_ia64.deb Size/MD5 checksum: 815824 e1e0e0e29d2fadaa9126a0f40ef0f7ac mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_mips.deb Size/MD5 checksum: 577428 9b2b390a8841638216d14dfb59244486 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_powerpc.deb Size/MD5 checksum: 583112 6b926d1b39bc0a83e4f098b873b3f111 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_s390.deb Size/MD5 checksum: 603014 698f599a8765889800a62e088674fcf7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl096/libssl0.9.6_0.9.6m-1sarge5_sparc.deb Size/MD5 checksum: 1460366 0e4d599821004ace0bf499fd688a22f1 Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.dsc Size/MD5 checksum: 769 b7a4e535383394c3be009e3a1df09bdd http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch1.diff.gz Size/MD5 checksum: 33285 dc2f489812286cecb705f5b77d523a1e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_alpha.deb Size/MD5 checksum: 3822210 91e845e9663d5e5fd0606254484fce29 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_alpha.deb Size/MD5 checksum: 2210464 5d4c3807d8d5d67cf99882f061bca0d8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_amd64.deb Size/MD5 checksum: 1325984 321bfb5960f3d0f8bd80792e7c7c5f05 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_amd64.deb Size/MD5 checksum: 755416 e80a880d70bd4f5be5653559e664413a arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_arm.deb Size/MD5 checksum: 1229966 70eef9e08baa248416efbd49bc064df9 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_arm.deb Size/MD5 checksum: 672290 f30616f8250e48b794e75fbb098b8fe8 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_hppa.deb Size/MD5 checksum: 1273442 e8518a1f26ff7ea13b04d16c760de661 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_hppa.deb Size/MD5 checksum: 793182 9b009b750c25c3bbfb3138bfb920702d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_i386.deb Size/MD5 checksum: 2284392 cded472858b38935b95aa798e72e0555 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_i386.deb Size/MD5 checksum: 4642676 4f181f50322b488f9eed50fc167d0712 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_ia64.deb Size/MD5 checksum: 1263422 b710a9e027214c21fd29f58e6cd45bc1 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_ia64.deb Size/MD5 checksum: 1009882 18617eeb4e2056de2b0d18fe2045bbce mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mips.deb Size/MD5 checksum: 1352460 e31e5b9e481800bfb194c3693e39e876 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mips.deb Size/MD5 checksum: 729966 52952a3b76cfdca4ede580eaa1120a48 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_mipsel.deb Size/MD5 checksum: 718836 9cbc00898d56a3e7db3839b0eb6a087b http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_mipsel.deb Size/MD5 checksum: 1316952 f19c960283886c8c1b94d1fa2d385ca5 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_powerpc.deb Size/MD5 checksum: 743238 792e64a2ada756b4e586eea50e2e3c3c http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_powerpc.deb Size/MD5 checksum: 1382044 31704c8cdf8be905ebc35be75f885fc5 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_s390.deb Size/MD5 checksum: 794166 d34483e35b01102e03c9d0dedb37f32e http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_s390.deb Size/MD5 checksum: 1317042 7e1ab24baa1cf7c686d3b78aea6bb386 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch1_sparc.deb Size/MD5 checksum: 1798892 afc22b79114ee90c8ee388e45115c6c6 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch1_sparc.deb Size/MD5 checksum: 3416966 9f1463223729527bd231690d40821e10 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHDRJ9YrVLjBFATsMRAtBgAJ9KN8v5gupjCqdsrKRNhg9fxIcP9gCfQ+O3 YjNEPdqHPfLFPe4UFq/+Y8s= =Wnfa -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/