ID

VAR-200901-0714

CVE

CVE-2008-5077

TITLE

F5 FirePass OpenSSL has an unknown vulnerability

DESCRIPTION

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. F5's FirePass server is a powerful network device that can provide users with secure access to the company's network through any standard web browser. F5 FirePass products have unidentified security vulnerabilities, allowing malicious users to conduct fraud and forgery attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:02.openssl Security Advisory The FreeBSD Project Topic: OpenSSL incorrectly checks for malformed signatures Category: contrib Module: openssl Announced: 2009-01-07 Credits: Google Security Team Affects: All FreeBSD releases Corrected: 2009-01-07 21:03:41 UTC (RELENG_7, 7.1-STABLE) 2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1) 2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8) 2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE) 2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2) 2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8) CVE Name: CVE-2008-5077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. This is only a problem for DSA and ECDSA keys. III. Impact For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack. Other applications which use the OpenSSL EVP API may similarly be affected. IV. Workaround For a server an RSA signed certificate may be used instead of DSA or ECDSA based certificate. Note that Mozilla Firefox does not use OpenSSL and thus is not affected. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.0, and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssl # make obj && make depend && make && make install # cd /usr/src/secure/usr.bin/openssl # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html> VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/crypto/openssl/apps/speed.c 1.13.2.1 src/crypto/openssl/apps/verify.c 1.1.1.5.12.1 src/crypto/openssl/apps/x509.c 1.1.1.10.2.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.12.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.2.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.2 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.5 src/sys/conf/newvers.sh 1.69.2.18.2.8 src/crypto/openssl/apps/speed.c 1.13.12.1 src/crypto/openssl/apps/verify.c 1.1.1.5.24.1 src/crypto/openssl/apps/x509.c 1.1.1.10.12.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.24.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.12.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.6.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.13 src/sys/conf/newvers.sh 1.69.2.15.2.12 src/crypto/openssl/apps/speed.c 1.13.10.1 src/crypto/openssl/apps/verify.c 1.1.1.5.22.1 src/crypto/openssl/apps/x509.c 1.1.1.10.10.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.22.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.10.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.10.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.4.1 RELENG_7 src/crypto/openssl/apps/speed.c 1.15.2.1 src/crypto/openssl/apps/verify.c 1.1.1.6.2.1 src/crypto/openssl/apps/x509.c 1.1.1.11.2.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.2.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.2.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.2.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.4 src/sys/conf/newvers.sh 1.72.2.9.2.5 src/crypto/openssl/apps/speed.c 1.15.6.1 src/crypto/openssl/apps/verify.c 1.1.1.6.6.1 src/crypto/openssl/apps/x509.c 1.1.1.11.6.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.6.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.6.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.6.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.12 src/sys/conf/newvers.sh 1.72.2.5.2.12 src/crypto/openssl/apps/speed.c 1.15.4.1 src/crypto/openssl/apps/verify.c 1.1.1.6.4.1 src/crypto/openssl/apps/x509.c 1.1.1.11.4.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.4.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.4.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.4.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.4.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r186873 releng/6.4/ r186872 releng/6.3/ r186872 stable/7/ r186872 releng/7.1/ r186872 releng/7.0/ r186872 - ------------------------------------------------------------------------- VII. HP System Management Homepage (SMH) before v3.0.1.73 running on Linux and Windows 2003, 2008. This vulnerability is tracked as CVE-2008-5077. Who is affected? ================= Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Verification of client certificates by OpenSSL servers for any key type is NOT affected. Recommendations for users of OpenSSL ===================================== Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue. The patch used is also appended to this advisory for users or distributions who wish to backport this patch to versions they build from source. Recommendations for projects using OpenSSL =========================================== Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled. As documented, this function returns 1 for a successful verification, 0 for failure, and -1 for an error. General recommendations ======================== Any server that has clients using OpenSSL verifying DSA or ECDSA certificates, regardless of the software used by the server, should either ensure that all clients are upgraded or stop using DSA/ECDSA certificates. Note that unless certificates are revoked (and clients check for revocation) impersonation will still be possible until the certificate expires. References =========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20090107.txt diff -ur openssl-0.9.8i-ORIG/apps/speed.c openssl-0.9.8i/apps/speed.c --- openssl-0.9.8i/apps/speed.c 2007-11-15 13:33:47.000000000 +0000 +++ openssl-0.9.8i/apps/speed-new.c 2008-12-04 00:00:00.000000000 +0000 @@ -2132,7 +2132,7 @@ { ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]); - if (ret == 0) + if (ret <= 0) { BIO_printf(bio_err, "RSA verify failure\n"); diff -ur openssl-0.9.8i-ORIG/apps/spkac.c openssl-0.9.8i/apps/spkac.c --- openssl-0.9.8i-ORIG/apps/spkac.c 2005-04-05 19:11:18.000000000 +0000 +++ openssl-0.9.8i/apps/spkac.c 2008-12-04 00:00:00.000000000 +0000 @@ -285,7 +285,7 @@ pkey = NETSCAPE_SPKI_get_pubkey(spki); if(verify) { i = NETSCAPE_SPKI_verify(spki, pkey); - if(i) BIO_printf(bio_err, "Signature OK\n"); + if (i > 0) BIO_printf(bio_err, "Signature OK\n"); else { BIO_printf(bio_err, "Signature Failure\n"); ERR_print_errors(bio_err); diff -ur openssl-0.9.8i-ORIG/apps/verify.c openssl-0.9.8i/apps/verify.c --- openssl-0.9.8i-ORIG/apps/verify.c 2004-11-29 11:28:07.000000000 +0000 +++ openssl-0.9.8i/apps/verify.c 2008-12-04 00:00:00.600000000 +0000 @@ -266,7 +266,7 @@ ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -367,4 +367,3 @@ ERR_clear_error(); return(ok); } - diff -ur openssl-0.9.8i-ORIG/apps/x509.c openssl-0.9.8i/apps/x509.c --- openssl-0.9.8i-ORIG/apps/x509.c 2007-10-12 00:00:10.000000000 +0000 +++ openssl-0.9.8i/apps/x509.c 2008-12-04 00:00:00.400000000 +0000 @@ -1151,7 +1151,7 @@ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); - if (!reqfile && !X509_verify_cert(&xsc)) + if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca,pkey)) diff -ur openssl-0.9.8i-ORIG/crypto/cms/cms_sd.c openssl-0.9.8i/crypto/cms/cms_sd.c --- openssl-0.9.8i-ORIG/crypto/cms/cms_sd.c 2008-04-06 16:30:38.000000000 +0000 +++ openssl-0.9.8i/crypto/cms/cms_sd.c 2008-12-04 00:00:00.400000000 +0000 @@ -830,7 +830,7 @@ cms_fixup_mctx(&mctx, si->pkey); r = EVP_VerifyFinal(&mctx, si->signature->data, si->signature->length, si->pkey); - if (!r) + if (r <= 0) CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); err: EVP_MD_CTX_cleanup(&mctx); diff -ur openssl-0.9.8i-ORIG/ssl/s2_clnt.c openssl-0.9.8i/ssl/s2_clnt.c --- openssl-0.9.8i-ORIG/ssl/s2_clnt.c 2007-09-06 12:43:53.000000000 +0000 +++ openssl-0.9.8i/ssl/s2_clnt.c 2008-12-04 00:00:00.100000000 +0000 @@ -1044,7 +1044,7 @@ i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; diff -ur openssl-0.9.8i-ORIG/ssl/s2_srvr.c openssl-0.9.8i/ssl/s2_srvr.c --- openssl-0.9.8i-ORIG/ssl/s2_srvr.c 2007-09-06 12:43:53.000000000 +0000 +++ openssl-0.9.8i/ssl/s2_srvr.c 2008-12-04 00:00:00.900000000 +0000 @@ -1054,7 +1054,7 @@ i=ssl_verify_cert_chain(s,sk); - if (i) /* we like the packet, now check the chksum */ + if (i > 0) /* we like the packet, now check the chksum */ { EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; @@ -1083,7 +1083,7 @@ EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); - if (i) + if (i > 0) { if (s->session->peer != NULL) X509_free(s->session->peer); diff -ur openssl-0.9.8i-ORIG/ssl/s3_clnt.c openssl-0.9.8i/ssl/s3_clnt.c --- openssl-0.9.8i-ORIG/ssl/s3_clnt.c 2008-06-16 16:56:41.000000000 +0000 +++ openssl-0.9.8i/ssl/s3_clnt.c 2008-12-04 00:00:00.100000000 +0000 @@ -972,7 +972,7 @@ } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) @@ -1459,7 +1459,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; @@ -1477,7 +1477,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; diff -ur openssl-0.9.8i-ORIG/ssl/s3_srvr.c openssl-0.9.8i/ssl/s3_srvr.c --- openssl-0.9.8i-ORIG/ssl/s3_srvr.c 2008-09-14 18:16:09.000000000 +0000 +++ openssl-0.9.8i/ssl/s3_srvr.c 2008-12-04 00:00:00.100000000 +0000 @@ -2560,7 +2560,7 @@ else { i=ssl_verify_cert_chain(s,sk); - if (!i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); diff -ur openssl-0.9.8i-ORIG/ssl/ssltest.c openssl-0.9.8i/ssl/ssltest.c --- openssl-0.9.8i-ORIG/ssl/ssltest.c 2008-06-16 16:56:42.000000000 +0000 +++ openssl-0.9.8i/ssl/ssltest.c 2008-12-04 00:00:00.900000000 +0000 @@ -2093,7 +2093,7 @@ if (cb_arg->proxy_auth) { - if (ok) + if (ok > 0) { const char *cond_end = NULL; . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2009-0004 Synopsis: ESX Service Console updates for openssl, bind, and vim Issue date: 2009-03-31 Updated on: 2009-03-31 (initial release of advisory) CVE numbers: CVE-2008-5077 CVE-2009-0025 CVE-2008-4101 CVE-2008-3432 CVE-2008-2712 CVE-2007-2953 - ------------------------------------------------------------------------ 1. Summary ESX patches for OpenSSL, vim and bind resolve several security issues. 2. Relevant releases VMware ESX 3.0.3 without patches ESX303-200903406-SG, ESX303-200903405-SG, ESX303-200903403-SG VMware ESX 3.0.2 without patches ESX-1008409, ESX-1008408, ESX-1008406 Extended support for ESX 3.0.2 Update 1 ends on 2009-08-08. Users should plan to upgrade to ESX 3.0.3 and preferably to the newest release available. 3. Problem Description a. Updated OpenSSL package for the Service Console fixes a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX ESX303-200903406-SG ESX 3.0.2 ESX ESX-1008409 ESX 2.5.5 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. b. Update bind package for the Service Console fixes a security issue. A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX ESX303-200903405-SG ESX 3.0.2 ESX ESX-1008408 ESX 2.5.5 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. c. Updated vim package for the Service Console addresses several security issues. Several input flaws were found in Visual editor IMproved's (Vim) keyword and tag handling. If Vim looked up a document's maliciously crafted tag or keyword, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4101 to this issue. A heap-based overflow flaw was discovered in Vim's expansion of file name patterns with shell wildcards. An attacker could create a specially crafted file or directory name, when opened by Vim causes the application to stop responding or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3432 to this issue. Several input flaws were found in various Vim system functions. If a user opened a specially crafted file, it was possible to execute arbitrary code as the user running Vim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2712 to this issue. A format string flaw was discovered in Vim's help tag processor. If a user was tricked into executing the "helptags" command on malicious data, arbitrary code could be executed with the permissions of the user running VIM. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-2953 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected hosted * any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX ESX303-200903403-SG ESX 3.0.2 ESX ESX-1008406 ESX 2.5.5 ESX affected, patch pending * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX --- ESX 3.0.2 ESX-1008409 (openssl) http://download3.vmware.com/software/vi/ESX-1008409.tgz md5sum: cb25fd47bc0713b968d8778c033bc846 http://kb.vmware.com/kb/1008409 ESX 3.0.2 ESX-1008408 (bind) http://download3.vmware.com/software/vi/ESX-1008408.tgz md5sum: b6bd9193892a9c89b9b7a1e0456d2a9a http://kb.vmware.com/kb/1008408 ESX 3.0.2 ESX-1008406 (vim) http://download3.vmware.com/software/vi/ESX-1008406.tgz md5sum: f069daa58190b39e431cedbd26ce25ef http://kb.vmware.com/kb/1008406 ESX 3.0.3 ESX303-200903406-SG (openssl) http://download3.vmware.com/software/vi/ESX303-200903406-SG.zip md5sum: 45a2d32f9267deb5e743366c38652c92 http://kb.vmware.com/kb/1008416 ESX 3.0.3 ESX303-200903405-SG (bind) http://download3.vmware.com/software/vi/ESX303-200903405-SG.zip md5sum: 34d00fd9cca7f3e08c0857b4cc254710 http://kb.vmware.com/kb/1008415 ESX 3.0.3 ESX303-200903403-SG (vim) http://download3.vmware.com/software/vi/ESX303-200903403-SG.zip md5sum: 9790c9512aef18beaf0d1c7d405bed1a http://kb.vmware.com/kb/1008413 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3432 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953 - ------------------------------------------------------------------------ 6. Change log 2009-03-31 VMSA-2009-0004 Initial security advisory after release of patches for ESX 3.0.2 and 3.0.3 on 2009-03-31. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFJ0tgoS2KysvBH1xkRAiAbAJ4uG0NGavdQLzfxFyXnrxBQLqHl1QCdEf4q LA8+0sLvaS37smj8BQPdm0g= =ZVXY -----END PGP SIGNATURE----- . Release Date: 2009-03-31 Last Updated: 2009-03-30 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running OpenSSL. The vulnerability could be exploited remotely to allow an unauthorized access. References: CVE-2008-5077 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2008-5077 (AV:R/AC:L/Au:N/C:N/I:P/A:N) 5.0 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following patches to resolve this vulnerability. The patches are available from the following location: URL: http://software.hp.com HP-UX Release HP-UX OpenSSL version B.11.11 (11i v1) A.00.09.07m.046 B.11.23 (11i v2) A.00.09.07m.047 B.11.31 (11i v3) A.00.09.08j.003 MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.046 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.001 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.046 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.047 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.002 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.047 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.048 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.003 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08j.003 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 31 March 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. At the request of the OpenSSL team, oCERT has aided in the remediation coordination for other projects with similar API misuse vulnerabilities. In addition to EVP_VerifyFinal, the return codes from DSA_verify and DSA_do_verify functions were being incorrectly validated, and packages doing so are affected in a similar fashion as OpenSSL. NTP <= 4.2.4p5 (production), <= 4.2.5p150 (development) Sun GridEngine <= 5.3 Gale <= 0.99 OpenEvidence <= 1.0.6 Belgian eID middleware - eidlib <= 2.6.0 [2] Freedom Network Server <= 2.x The following packages were identified as affected by a vulnerability similar to the OpenSSL one, as they use OpenSSL DSA_verify function and incorrectly check the return code. 2 - Belgian eID middleware latest versions are not available in source form, therefore we cannot confirm if they are affected Fixed version: OpenSSL >= 0.9.8j NTP >= 4.2.4p6 (production), >= 4.2.5p153 (development) Sun GridEngine >= 6.0 Gale N/A OpenEvidence N/A Belgian eID middleware - eidlib N/A Freedom Network Server N/A BIND >= 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1 Lasso >= 2.2.2 ZXID N/A Credit: Google Security Team (for the original OpenSSL issue). CVE: CVE-2008-5077 (OpenSSL), CVE-2009-0021 (NTP), CVE-2009-0025 (BIND) Timeline: 2008-12-16: OpenSSL Security Team requests coordination aid from oCERT 2008-12-16: oCERT investigates packages affected by similar issues 2008-12-16: contacted affected vendors 2008-12-17: investigation expanded to DSA verification 2008-12-17: BIND, Lasso and ZXID added to affected packages 2008-12-18: contacted additional affected vendors 2009-01-05: status updates and patch dissemination to affected vendors 2009-01-05: confirmation from BIND of issue and fix 2009-01-06: requested CVE assignment for BIND 2009-01-07: advisory published References: http://openssl.org/news/secadv_20090107.txt Links: http://openssl.org/ http://www.ntp.org/ http://gridengine.sunsource.net/ http://gale.org/ http://www.openevidence.org/ http://eid.belgium.be/ http://www.google.com/codesearch/p?#1vGzyQX--LU/achilles/remailer/zero-knowledge/freedomserver-2.x.tgz/ https://www.isc.org/products/BIND http://lasso.entrouvert.org/ http://www.zxid.org/ Permalink: http://www.ocert.org/advisories/ocert-2008-016.html -- Will Drewry <redpig@ocert.org> oCERT Team :: http://ocert.org . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Certificate validation error Date: February 12, 2009 Bugs: #251346 ID: 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An error in the OpenSSL certificate chain validation might allow for spoofing attacks. Impact ====== A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8j" References ========== [ 1 ] CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . HP SSL v1.3 for OpenVMS Alpha (v 8.2 or higher) and Integrity (v 8.2-1 or higher). =========================================================== Ubuntu Security Notice USN-704-1 January 07, 2009 openssl vulnerability CVE-2008-5077 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.6 openssl 0.9.8a-7ubuntu0.6 Ubuntu 7.10: libssl0.9.8 0.9.8e-5ubuntu3.3 openssl 0.9.8e-5ubuntu3.3 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.4 openssl 0.9.8g-4ubuntu3.4 Ubuntu 8.10: libssl0.9.8 0.9.8g-10.1ubuntu2.1 openssl 0.9.8g-10.1ubuntu2.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.diff.gz Size/MD5: 50783 396d2184fcb5130f410d08abc6b7330c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.dsc Size/MD5: 822 64ee2faa7018f771f6ebe9d46f3b0a99 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_amd64.udeb Size/MD5: 571736 e7a9c7893a6d858465b9baae1de69de6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 2167724 ec495fd3402eb1dec0a1ce6594bdb7b3 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 1682634 9e310c2bcd01bfe4c0c5992252741a6a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 875434 cb8096f3befae3931c17ccbb0ccf0496 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 984764 214c03461736f5b2ed744069d833db86 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_i386.udeb Size/MD5: 509508 df64bbeaa01e1e3128ecf319e8bdcd52 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 2024104 130c24c04244403953e63f77b52f4f38 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 5053036 1e9f9310bc70e06f96d93b486d2fc486 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 2595612 57b9b8fa2e9aa7e327ec77ce5ac6d422 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 976318 b1cc97035bec3309bbbe270da1a5a5e8 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_powerpc.udeb Size/MD5: 557892 c4e0970fc419674173fb6b0e299c91c8 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 2181796 46a9ea8bf00476fd33d598ceca33c84f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 1727402 2cc9be011c97e233490445696341aaec http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 861910 0e58b30e47c25a46f112d6481a1c5a35 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 980576 f2855029ed59ed4b7226cb2fe06e3f7e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_sparc.udeb Size/MD5: 530818 d7d206110c0dbb2c4e7298f6b9303af1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 2093166 78a7da03db8f01a3b6d7dfba5fb44198 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 3942670 8ee3f109488992bb0d01d06e4088ff30 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 2091522 ea6cf49b21d8ba82ab24af3ee567068b http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 988638 ce46e30741dacb282c4f1b446f84ab23 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.diff.gz Size/MD5: 58877 e62d5901d69b5b871f90e04d9acf521e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.dsc Size/MD5: 958 b1c17ee608e6bc7d07fa4623201f3a7c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e.orig.tar.gz Size/MD5: 3341665 3a7ff24f6ea5cd711984722ad654b927 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_amd64.udeb Size/MD5: 608584 c481816fbc6c299a00b80a3cb4af246f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 2065274 c4a1d6af5d0f1190052e6a3c758e9abb http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 1644192 aa30118c7c95dcfe5556ec12d7add5d6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 929024 6d28c88e967291c00764b22831b8924e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 877802 84c0139ce5dd16fb927ad358e7381548 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_i386.udeb Size/MD5: 571798 c607dc9f23b135daff01e22504c16fab http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 1943350 19f8d4104d2e295ba4a2f439f44e20ee http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 5520624 a21d311ccde9661b3e8f06ba55cbef3e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 2825690 c3c7d55d3795d52b06284f0caa99d3a1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 872044 aeb4f6b72d07cc2a976a18cf93a367dd lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_lpia.udeb Size/MD5: 537248 b07db5071f9ff8914a2d40d6e20ffb41 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 1922002 e9b23815db3e2e64f46d719b51cce2f4 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 1557272 ae70a0bb736343fe718bf0d35a3b32d9 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 836726 b9b1f8206ba21fb9dde3f980c86d24f8 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 876574 7839e291a551899242a4dc2f5b8d9f35 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_powerpc.udeb Size/MD5: 618004 7a9f02ca9b67ebc512a6f9e38a80dc26 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 2093146 1d5f7c1c9af62423a04efedd7d38a913 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 1705258 342ae884bd21bcddec45c9b8eabac551 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 945950 9675de35a318feb0078a96896595967c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 886178 9c581cd1ca63f80bb8a9d5832942a153 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_sparc.udeb Size/MD5: 565190 2c2a71fcb2e872cabaeb7d4ae7a20259 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 1987290 2eced2b5c5554f981a61ad6d6afb189a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 4050004 9ab3d6baf7aaaa6c0268f4be69f0a1a9 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 2221122 d210d67192ddfde087aecc66791d2932 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 887274 52fd404eb494c0e0b371c7428552196a Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.diff.gz Size/MD5: 54265 48ab0fa9c3683e86643241b94cbbd39a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.dsc Size/MD5: 920 896ab79ea689efeb2de3e02dc0fc6c3d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-4ubuntu3.4_all.deb Size/MD5: 628902 af428e77b048f9b563dbf3b6e03c7b77 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_amd64.udeb Size/MD5: 603882 7cab435930aed7cc81635af1f9186c72 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 2064750 5655eeabb4f5394c6fa9e066104829fe http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 1604310 437124745340c62fb91eb330dd13e26c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 931554 27a5fcd27928f903c555f1c52038db0c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 390620 788d2703d3e67348a628054beb912ed3 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_i386.udeb Size/MD5: 564676 019f31865013411c760e4ab851e89e17 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 1941970 eb1e998c368a67901f8dc24e7f7c8a6f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 5341460 652d0ec4bf5f9eac14670c2f439beda4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 2828564 a2ce3d2beb2c38d33dd94f04f2191883 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 385434 836f3086e428903ccb04c28494ea0041 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_lpia.udeb Size/MD5: 535450 be4c24bff72025ce0c6c6394fba68fd5 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 1922618 a65ff52eb395b40c14f7fc18ea41ad7d http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 1512528 458077dda55faeaf239ee3a47299c609 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 843082 fc0918a82913ea636d087278f3e96fa7 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 390018 8faf10bc8b6d4fa531def5446e66dee1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_powerpc.udeb Size/MD5: 610282 dc8839e3ff9862b80b862285ef984e9f http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 2077956 2bac2aea99e1e0096220f94036883f5e http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 1639618 4a18538a4b3ba94b78d9c7cea49a6b07 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 944878 fb6aa227b8609ffde3242b4f5fc6116f http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 399202 cb99c081fd9f48e5a40df713ae651e88 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_sparc.udeb Size/MD5: 559654 b84fa24de0b7aada1ba92eb57405d92f http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 1984540 16585659f3a14e89470a5f00fd4f42ba http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 3873894 fc78d170a38cbddf9e3535cb353d52b3 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 2241644 177559b738e07248aff683e93fe9b82b http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 397818 652f57d5f54161a5e0ad5c79617b0879 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.diff.gz Size/MD5: 55754 c957bd1ff8a8500f842e20234143c351 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.dsc Size/MD5: 1334 0dd1b68e9c2f1caefc82dd0fc2b92648 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-10.1ubuntu2.1_all.deb Size/MD5: 628628 c4f6300e39b5949d7ef8cb13f7054214 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_amd64.udeb Size/MD5: 622186 bc90e5f8db699789fc7aa72d42e57371 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 2109722 a7dc60dd48c1ec1656cbb909c456d960 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 1685202 25e62ee915d832d604890addbaa122ea http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 957898 115151c119f55d0907593883f877daa3 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 404030 b7ea3332ca29746237f2b661c91e89b1 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_i386.udeb Size/MD5: 578654 c1afb78788aee9b1d87b9fe9cc3f84cd http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 1980648 352cdc3d1ec18714ed69a0e994ad3a34 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 5604978 2d964cdf8c4f11d7407a614c23cfee3d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 2920048 a9073edf1c235cf3919c09a0ab5718f4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 398652 7f7fba957c5f1e3071275a38671acf25 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_lpia.udeb Size/MD5: 547384 30f57b3c8dde980d1e46c4c26d8ad561 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 1958092 2560aaf556ba47a934092635ba0d8d2f http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 1578834 05f9e7736ccd10d80e6953e2fe094fa1 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 862680 d298ef88cef3c47b0e90e0f1a9181a40 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 400640 215b80cc7bb02cc24f2086dc5baa6217 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_powerpc.udeb Size/MD5: 623176 85a1d24d89ea4c34cc9a54b568b5bc58 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 2120282 3c16c677ad334913d82080fd41f25daf http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 1704334 ec55dbd174914d100a625a601d5c8d6c http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 964578 3f207d7b34494f01d1cb3448825af9e5 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 402660 cc80ae7e798e4b46f9882ad31d2e7cc9 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_sparc.udeb Size/MD5: 567580 bd1a38ca852a485c76d434c619766e30 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 2013344 6eec2f31c3d94e19eeb57f1008030a80 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 4038260 5c9cc4e498dac03b1d8664840c62e0d7 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 2284620 317c30221db0bb66c0703c40694d9485 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 406750 8542831a114aaff62e62021bbc8d028b

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation error

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Google Security team

SOURCES

LAST UPDATE DATE

2024-11-07T21:30:49.249000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE