Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200912-01 ] OpenSSL: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1703

PostPosted: Wed Dec 02, 2009 12:26 am    Post subject: [ GLSA 200912-01 ] OpenSSL: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: OpenSSL: Multiple vulnerabilities (GLSA 200912-01)
Severity: normal
Exploitable: remote
Date: December 01, 2009
Updated: December 02, 2009
Bug(s): #270305, #280591, #292022
ID: 200912-01

Synopsis


Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct
multiple attacks, including the injection of arbitrary data into encrypted
byte streams.


Background


OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.


Affected Packages

Package: dev-libs/openssl
Vulnerable: < 0.9.8l-r2
Unaffected: >= 0.9.8l-r2
Architectures: All supported architectures


Description


Multiple vulnerabilities have been reported in OpenSSL:
  • Marsh Ray of PhoneFactor and Martin Rex of SAP independently
    reported that the TLS protocol does not properly handle session
    renegotiation requests (CVE-2009-3555).
  • The MD2 hash algorithm is no longer considered to be
    cryptographically strong, as demonstrated by Dan Kaminsky. Certificates
    using this algorithm are no longer accepted (CVE-2009-2409).
  • Daniel Mentz and Robin Seggelmann reported the following
    vulnerabilities related to DTLS: A use-after-free flaw (CVE-2009-1379)
    and a NULL pointer dereference (CVE-2009-1387) in the
    dtls1_retrieve_buffered_fragment() function in src/d1_both.c, multiple
    memory leaks in the dtls1_process_out_of_seq_message() function in
    src/d1_both.c (CVE-2009-1378), and a processing error related to a
    large amount of DTLS records with a future epoch in the
    dtls1_buffer_record() function in ssl/d1_pkt.c
    (CVE-2009-1377).


Impact


A remote unauthenticated attacker, acting as a Man in the Middle, could
inject arbitrary plain text into a TLS session, possibly leading to the
ability to send requests as if authenticated as the victim. A remote
attacker could furthermore send specially crafted DTLS packages to a
service using OpenSSL for DTLS support, possibly resulting in a Denial
of Service. Also, a remote attacker might be able to create rogue
certificates, facilitated by a MD2 collision. NOTE: The amount of
computation needed for this attack is still very large.


Workaround


There is no known workaround at this time.


Resolution


All OpenSSL users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8l-r2"


References

CVE-2009-1377
CVE-2009-1378
CVE-2009-1379
CVE-2009-1387
CVE-2009-2409
CVE-2009-3555


Last edited by GLSA on Thu Dec 03, 2009 4:29 am; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum