Mandriva Linux Security Advisory 2010-168 - Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service and possibly execute some sources refer to this as a use-after-free issue. The updated packages have been patched to correct this issue.
f0c6c2f4720853cfe16f3b61747fe479-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:168
http://www.mandriva.com/security/
_______________________________________________________________________
Package : openssl
Date : September 1, 2010
Affected: 2010.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in openssl:
Double free vulnerability in the ssl3_get_key_exchange function in
the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7,
and possibly other versions, when using ECDH, allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted private key with an invalid prime. NOTE:
some sources refer to this as a use-after-free issue (CVE-2010-2939).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2939
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
36eb6715b26fc1ef1a284bdf90211882 2010.1/i586/libopenssl1.0.0-1.0.0a-1.1mdv2010.1.i586.rpm
4322d958620b87ebbf8f947b3bc749c1 2010.1/i586/libopenssl1.0.0-devel-1.0.0a-1.1mdv2010.1.i586.rpm
e5b658592f1f94e03eead2c8534ac3e7 2010.1/i586/libopenssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.i586.rpm
24286badaaca314447536442afae3d05 2010.1/i586/openssl-1.0.0a-1.1mdv2010.1.i586.rpm
11fc053a02685ab2e19fb8b8489f6e87 2010.1/i586/openssl-engines-1.0.0a-1.1mdv2010.1.i586.rpm
8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
b66215a9d6faeaa2ca60facb5c77b8cc 2010.1/x86_64/lib64openssl1.0.0-1.0.0a-1.1mdv2010.1.x86_64.rpm
fc3b2a6160eda7cdb55b28d4262ad82e 2010.1/x86_64/lib64openssl1.0.0-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm
c36f145bcf88e39cb4a94cc8deec761e 2010.1/x86_64/lib64openssl1.0.0-static-devel-1.0.0a-1.1mdv2010.1.x86_64.rpm
6fa62d5b023205f4d7d5ae3b8744c346 2010.1/x86_64/openssl-1.0.0a-1.1mdv2010.1.x86_64.rpm
899e2b1cc0b8e8dc5cab2ae96c5f29f2 2010.1/x86_64/openssl-engines-1.0.0a-1.1mdv2010.1.x86_64.rpm
8c0cd1eb876611815d64e706c64a332d 2010.1/SRPMS/openssl-1.0.0a-1.1mdv2010.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMflSemqjQ0CJFipgRAgGiAKC5wxDgOnCHOZozhJtEKNomOIS9MQCbBP+n
97XVDZwWZmDjms2vzVvaeUI=
=69w7
-----END PGP SIGNATURE-----
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!