===================================================================== CERT-Renater Note d'Information No. 2005/VULN358 _____________________________________________________________________ DATE : 08/06/2005 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running openssl. ====================================================================== _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: openssl Advisory ID: MDKSA-2005:096 Date: June 6th, 2005 Affected versions: 10.0, 10.1, 10.2, Corporate 3.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: Colin Percival reported a cache timing attack that could be used to allow a malicious local user to gain portions of cryptographic keys (CAN-2005-0109). The OpenSSL library has been patched to add a new fixed-window mod_exp implementation as default for RSA, DSA, and DH private key operations. The patch was designed to mitigate cache timing and possibly related attacks. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: cee49155c0a92bb8135a319fd7932c91 10.0/RPMS/libopenssl0.9.7-0.9.7c-3.2.100mdk.i586.rpm 2c80ea6436e6a6c6466a917f52d2390c 10.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.2.100mdk.i586.rpm 52d0e353df687a95873de42742662654 10.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.2.100mdk.i586.rpm 292de5de390f0ef4692d31309b9bde11 10.0/RPMS/openssl-0.9.7c-3.2.100mdk.i586.rpm ee45559e7e24574e13c6a67c74f7133d 10.0/SRPMS/openssl-0.9.7c-3.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: e301b8be00577ccc4e2b1efd7f413179 amd64/10.0/RPMS/lib64openssl0.9.7-0.9.7c-3.2.100mdk.amd64.rpm f8c587ca420c66ca24e951b59834c963 amd64/10.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.2.100mdk.amd64.rpm a06d5783022cd8a9b5c79c680661d174 amd64/10.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.2.100mdk.amd64.rpm 464d4ea1d39a0679108adb8ac165cdce amd64/10.0/RPMS/openssl-0.9.7c-3.2.100mdk.amd64.rpm ee45559e7e24574e13c6a67c74f7133d amd64/10.0/SRPMS/openssl-0.9.7c-3.2.100mdk.src.rpm Mandrakelinux 10.1: de2ad60c1e4f2a65530e306de708dcbd 10.1/RPMS/libopenssl0.9.7-0.9.7d-1.2.101mdk.i586.rpm f061104d9da8c4321a724b3497eadf44 10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.2.101mdk.i586.rpm 5733754aba4dfe0d216a9d2c3a586fc3 10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.2.101mdk.i586.rpm d85002e7e972e92649143f32843921c2 10.1/RPMS/openssl-0.9.7d-1.2.101mdk.i586.rpm ae8b9201966a40154c936e86c66ed6ee 10.1/SRPMS/openssl-0.9.7d-1.2.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 9cb7b4a822ee946c9bfbfd58eab266db x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.2.101mdk.x86_64.rpm 8d3cee9ae100bdc96680d1f2981c605c x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.2.101mdk.x86_64.rpm d5567a5ed0e73448718be767d15c909f x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.2.101mdk.x86_64.rpm 7fd69749f62ac883da9d5c25a6a9d20b x86_64/10.1/RPMS/openssl-0.9.7d-1.2.101mdk.x86_64.rpm ae8b9201966a40154c936e86c66ed6ee x86_64/10.1/SRPMS/openssl-0.9.7d-1.2.101mdk.src.rpm Mandrakelinux 10.2: b1eeb36b807c8f4aa28d206045d43a9f 10.2/RPMS/libopenssl0.9.7-0.9.7e-5.1.102mdk.i586.rpm ac3d69c0b6f943ad93bb234d6af9c744 10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.1.102mdk.i586.rpm 56ca2ecdb9bde08be0b04224f53269eb 10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.1.102mdk.i586.rpm 2aa7bb69baacd4e552ffcd1a262e4ba4 10.2/RPMS/openssl-0.9.7e-5.1.102mdk.i586.rpm 182440988393b2c33dd7d350b4f8ec60 10.2/SRPMS/openssl-0.9.7e-5.1.102mdk.src.rpm Mandrakelinux 10.2/X86_64: 5ca7610752c8170145c94aeeddedbc1e x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.1.102mdk.x86_64.rpm 9a1b5b77a6dddbc10355d88de59206eb x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.1.102mdk.x86_64.rpm d33fef3346899531526124ccf00f0c5f x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.1.102mdk.x86_64.rpm 7ab4a343b30ab609360ff7ce0b89a350 x86_64/10.2/RPMS/openssl-0.9.7e-5.1.102mdk.x86_64.rpm 182440988393b2c33dd7d350b4f8ec60 x86_64/10.2/SRPMS/openssl-0.9.7e-5.1.102mdk.src.rpm Corporate Server 2.1: 6501a7b2d19013ca711281fb353dea0b corporate/2.1/RPMS/libopenssl0-0.9.6i-1.9.C21mdk.i586.rpm d559b800134dd67dbb7f012fc48a807b corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.9.C21mdk.i586.rpm b6125ddcc2ba183ce6c1da6a3d1a636f corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.9.C21mdk.i586.rpm c2fb9fbd3ccbc10615d291fbfff2c24a corporate/2.1/RPMS/openssl-0.9.6i-1.9.C21mdk.i586.rpm eeb2c5885af72a4bbe7bb67defa1dc3d corporate/2.1/SRPMS/openssl-0.9.6i-1.9.C21mdk.src.rpm Corporate Server 2.1/X86_64: 16deadec23cf0f734428c54cd30d77c1 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.9.C21mdk.x86_64.rpm 8ebda70886c54271c9717310e58f7cf0 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.9.C21mdk.x86_64.rpm 3e71a68e38fc41d553ac0ccd113b2062 x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.9.C21mdk.x86_64.rpm 34e577f8a74f1ccb5256da88871f175b x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.9.C21mdk.x86_64.rpm eeb2c5885af72a4bbe7bb67defa1dc3d x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.9.C21mdk.src.rpm Corporate 3.0: dad75a0c76174530ef85eaa43b1027d0 corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.2.C30mdk.i586.rpm b3d0b4c5e81bd5c8be7205be1aa3d6a8 corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.2.C30mdk.i586.rpm 28ce0bb5d23162464e072676ff114ed2 corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.2.C30mdk.i586.rpm 4ee3247a813b1ddc5846d8e8cd3d683b corporate/3.0/RPMS/openssl-0.9.7c-3.2.C30mdk.i586.rpm 17755643bd9ab4d1e77c9299b4f98c6a corporate/3.0/SRPMS/openssl-0.9.7c-3.2.C30mdk.src.rpm Corporate 3.0/X86_64: 1584bf57d460c30fdf46f9418066bcb7 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.2.C30mdk.x86_64.rpm cbc8670bab2a5bfb0cb4ec7c5156b1b2 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.2.C30mdk.x86_64.rpm 9e31e783e4e0f97cb4c2b746844acba7 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.2.C30mdk.x86_64.rpm a3fe1a197f4e88179cc07b58ff4602fa x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.2.C30mdk.x86_64.rpm 17755643bd9ab4d1e77c9299b4f98c6a x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.2.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================