Fedora Legacy Test Update Notification: openssl

Marc Deslauriers marcdeslauriers at videotron.ca
Fri Nov 25 01:09:46 UTC 2005 

These were updated to correct an additional vulnerability.

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-166939
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939
2005-11-24
---------------------------------------------------------------------

Name        : openssl
Versions    : rh73: openssl-0.9.6b-39.10.legacy
Versions    : rh9: openssl-0.9.7a-20.6.legacy
Versions    : fc1: openssl-0.9.7a-33.13.legacy
Versions    : fc2:  openssl-0.9.7a-35.2.legacy
Summary     : The OpenSSL toolkit.
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

---------------------------------------------------------------------
Update Information:

Updated OpenSSL packages that fix a security issue are now available.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-
strength general purpose cryptography library.

OpenSSL contained a software work-around for a bug in SSL handling in
Microsoft Internet Explorer version 3.0.2. This work-around is enabled
in most servers that use OpenSSL to provide support for SSL and TLS.
Yutaka Oiwa discovered that this work-around could allow an attacker,
acting as a "man in the middle" to force an SSL connection to use SSL
2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-2969 to this issue.

A bug was fixed in the way OpenSSL creates DSA signatures. A cache
timing attack was fixed in a previous advisory which caused OpenSSL to
do private key calculations with a fixed time window. The DSA fix for
this was not complete and the calculations are not always performed within
a fixed-window. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0109 to this issue.

Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a null-pointer assignment in the do_change_cipher_spec()
function. A remote attacker could perform a carefully crafted SSL/TLS
handshake against a server that uses the OpenSSL library in such a way
as to cause OpenSSL to crash. Depending on the server this could lead to
a denial of service. (CVE-2004-0079)

Users are advised to update to these erratum packages which contain
patches to correct these issues.

Note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system.

---------------------------------------------------------------------
Changelogs

rh73:
* Tue Nov 15 2005 David Eisenstein <deisenst at gtw.net> 0.9.6b-39.10.legacy
- Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
- remove deprecated der_chop, as upstream cvs has done (CAN-2004-0975,
    RHEL2.1's 0.9.6b-37.  Replaces patch34
(openssl-0.9.7c-tempfile.patch) with
  a new patch34 (openssl-0.9.7a-no-der_chop.patch).
- replaced add-luna patch with new one with right license, per Tomas Mraz
  in RHEL 2.1's 0.9.6b-39 (#158061).

* Sat Oct 22 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.6b-39.9.legacy
- Add extra patch to fix CAN-2005-0109
- Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.6b-39.8.legacy
- patch for cache timing exploit CAN-2005-0109 (#166939)

rh9:
* Sat Oct 22 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-20.6.legacy
- Add extra patch to fix CAN-2005-0109
- Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-20.5.legacy
- patch for cache timing exploit CAN-2005-0109 (#166939)

fc1:
* Sat Oct 22 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-33.13.legacy
- Add extra patch to fix CAN-2005-0109
- Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-33.12.legacy
- patch for cache timing exploit CAN-2005-0109 (#166939)

fc2:
* Sat Oct 22 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-35-2.legacy
- Add extra patch to fix CAN-2005-0109
- Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Sun Aug 28 2005 Jeff Sheltren <sheltren at cs.ucsb.edu> 0.9.7a-35.1.legacy
- Patches for CAN-2004-0975 and CAN-2005-0109 (#166939)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
772eb428fce0f9244879936da6de8540c4a0da19
redhat/7.3/updates-testing/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm
2abb561452161340c02522e5b304685bded02acc
redhat/7.3/updates-testing/i386/openssl096-0.9.6-25.11.legacy.i386.rpm
1c00535c2fd6314aba666132c49b62850387fa2e
redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i386.rpm
eb04713acd216bf3e2b46ed11f5627af2937d726
redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i686.rpm
5339f0df2ca59678b043c356000c80d6a06350e9
redhat/7.3/updates-testing/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm
602fb4b040aa26656f60771e56495f894da7a7d1
redhat/7.3/updates-testing/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm
94c051599af2faaaf771df548c801d8f046b2d94
redhat/7.3/updates-testing/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
876c535d8b28b2ffa22be646aa7021c57a62046c
redhat/7.3/updates-testing/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm
046b9d93eee9dcd9b69f89f185ad3065c78fd4ec
redhat/7.3/updates-testing/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm

rh9:
a404db788cdcdf1b267dde272dd6db3cf1891ba2
redhat/9/updates-testing/i386/openssl096-0.9.6-25.12.legacy.i386.rpm
11cf0a7546f054b5fcff676a88deb27e45cdb0cd
redhat/9/updates-testing/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm
62eb39923eb2a98a1749a58a28fce5c425587387
redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i386.rpm
e97a1fb8963711a2c97e298173d30fe64abd7a3f
redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i686.rpm
dca80e912b43137b71e966cdc956b50324fd59fc
redhat/9/updates-testing/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm
1f34a94f36d3b7fa56b633fc134eac3d99a08f45
redhat/9/updates-testing/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm
daa7c0eb8f988a152db550398ec6c3e9ad08418e
redhat/9/updates-testing/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm
beff357b1eabf4dbd89bd2776d83ad8157e4668b
redhat/9/updates-testing/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm
d010302930f88638255581d7f4d8d245fc5f1f4f
redhat/9/updates-testing/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm

fc1:
6e2a5333e1a41cf7c87b0bd704f37ebeefb19011
fedora/1/updates-testing/i386/openssl096-0.9.6-26.3.legacy.i386.rpm
aca4f861c4dde379cec5351f56c7aec4b2e47310
fedora/1/updates-testing/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm
620c574712782b4e349ed1392d1d674507a146cc
fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i386.rpm
5518b5e24176b056dae1e653a4abb9f2dd227d99
fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i686.rpm
5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a
fedora/1/updates-testing/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm
1bee0f14e627fde0951377e1bf2f90b190152967
fedora/1/updates-testing/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm
0d7079c953bb754c45c5a0231c5b292b814ce3f6
fedora/1/updates-testing/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm
8350ee0de5d81a3a0a842745997f89f8aae9e37f
fedora/1/updates-testing/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm
b116a8978d0ea6720193ac67c927d1c07eb122c4
fedora/1/updates-testing/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm

fc2:
0b4dd57385c42886afbd62bc17c3b10fb3b28d38
fedora/2/updates-testing/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm
d8773965612fda44388b73296ba8fb9caea9db1f
fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i386.rpm
45c1a884034056c1f3f31f6a61af617a44a31e47
fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i686.rpm
24f03de813df1d534d3d847fde68ffd603a2e234
fedora/2/updates-testing/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm
a990c20059b07984cc06a1029219b713650b0cfd
fedora/2/updates-testing/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm
b39cd980bda3350d69ee5a4da934fb54c956c965
fedora/2/updates-testing/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm
63d5d41cd2be5a010c2ad2c6276f0ddba2948e38
fedora/2/updates-testing/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051124/4b1ed72e/attachment.sig>

More information about the fedora-legacy-list mailing list