Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0724 -- [Debian] New openssl packages fix arbitrary code execution 3 October 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openssl Publisher: Debian Operating System: Debian GNU/Linux 3.1 Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2006-2940 Ref: ESB-2006.0712 Original Bulletin: http://www.debian.org/security/2006/dsa-1185 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - -------------------------------------------------------------------------- Debian Security Advisory DSA 1185-2 security@debian.org http://www.debian.org/security/ Noah Meyerhans October 2nd, 2006 http://www.debian.org/security/faq - - -------------------------------------------------------------------------- Package : openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE ID : CVE-2006-2940 The fix used to correct CVE-2006-2940 introduced code that could lead to the use of uninitialized memory. Such use is likely to cause the application using the openssl library to crash, and has the potential to allow an attacker to cause the execution of arbitrary code. For the stable distribution (sarge) these problems have been fixed in version 0.9.7e-3sarge4. For the unstable and testing distributions (sid and etch, respectively), these problems will be fixed in version 0.9.7k-3 of the openssl097 compatibility libraries, and version 0.9.8c-3 of the openssl package. We recommend that you upgrade your openssl package. Note that services linking against the openssl shared libraries will need to be restarted. Common examples of such services include most Mail Transport Agents, SSH servers, and web servers. Upgrade Instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.dsc Size/MD5 checksum: 639 179f34093d860afff66964b5f1c99ee3 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4.diff.gz Size/MD5 checksum: 29707 0b4d462730327aba5a751bd4bec71c10 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 3341886 f0d0ef51fac89227b0d0705116439f5c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 2448092 8065c52c7649f36221f8a48adfb4cb29 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_alpha.deb Size/MD5 checksum: 930234 5953c4c4a45352d41c3c414eda63ff00 AMD64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 2693980 cbd25bbed17ec73561337bfc3d8ed2ed http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 769904 2671cdf2f48013617ea509daac2bb4dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_amd64.deb Size/MD5 checksum: 903782 e370684d7c84d1eebcb69cdda35c6c6c ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 2556330 75c1a253ddad0b7ad87053552770e5c4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 690202 ccd435ca2c183940152f3bd70d84ee0b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_arm.deb Size/MD5 checksum: 894144 2e5caaa90184d9ee9e607d18728e6f93 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 2695990 58fe1a247ef47faa559eef610b437db6 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 791382 f0c64d06307af937218944d6d8db6e2f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_hppa.deb Size/MD5 checksum: 914576 631c681a3c4ce355962a7c684767a155 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2554956 c4c9aa14e74dbd6dac2cadd7cf48b522 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 2265180 9047b6c6036c048ad75fa397f220ae39 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_i386.deb Size/MD5 checksum: 906268 070d1d1680f90da5509121c44de7a254 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 3396206 3a3d88238a48d33b39e7575a97c6cfdf http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 1038432 e2e4e1d388c5d45c8d30e16d661ad24c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_ia64.deb Size/MD5 checksum: 975152 1783b49f3b7a12bd18dff0fcc37f5d68 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 2317348 b4930b1cf5e642bf509d44dd83de193f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 661716 d5fb4eb5947c8765e268696e94a46a8b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_m68k.deb Size/MD5 checksum: 889932 e1ecef3780edd38743246dfda1424e8c Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 2779464 591dbe4f6d73d56c9e9ff72f2d0a5385 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 706682 0b3de7eef13969d065ed057fda34afc2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mips.deb Size/MD5 checksum: 896834 e2b8f38056a06f63c3ce6c10d9d95dba Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 2767364 883d0167f6642e90e8a183b4f87a78ba http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 694532 f4961231ef2c2b8ff46f173338a7fa36 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_mipsel.deb Size/MD5 checksum: 895922 2ad35f3927ba71d8054fe8cd4316f5b0 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 2775608 0dca0ec9cf2d230ce68394849be748b1 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 779456 6736cdc1dfe5f19013f4dee0a2b3b1cf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_powerpc.deb Size/MD5 checksum: 908418 8759696eff63836597e4247c06ba7b22 IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 2717788 12fb63ace68a2698c19c725530ab18d9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 814012 adcee88124369de1daeae0545e0517a0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_s390.deb Size/MD5 checksum: 918524 b93704f4ce84489d4ee163098a783962 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 2630606 a20a47b2f291810a09fd04a4c130ddb0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 1886152 8521da994bf2a6df3bdc457fb3e0683b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge4_sparc.deb Size/MD5 checksum: 924556 ff8cee5f5a9653a9dd917b4ec51166ee These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFIWjaXm3vHE4uyloRAlCnAKDJS/TqmvEdkWKPzE3d5MmsC+VAXgCg3Kw+ 43qPyLtg10UxpWWh0fHpOnA= =Xbwi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRSHFXSh9+71yA2DNAQKiNwP7BTu+8hx5ehvBfuwb8GHy4aMSejIPcw7z 1lMt1jnwb8JP7UR4bweVuvmw6PibOCdhoJ4NO0V+KlepEmj1auDxOlepBnqSl/Mb VmgoS3r6GTwH8Uz1YdbsyA4t8KpIUKguA2BexobVbSGtxxsMZjsGE5wkNf5Du8Sf OY28JMqMBfc= =67oj -----END PGP SIGNATURE-----