Details of VAR-200901-0714

ID

VAR-200901-0714

CVE

CVE-2008-5077

TITLE

F5 FirePass OpenSSL has an unknown vulnerability

Trust: 0.6

sources: CNVD: CNVD-2010-0376

DESCRIPTION

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. F5's FirePass server is a powerful network device that can provide users with secure access to the company's network through any standard web browser. F5 FirePass products have unidentified security vulnerabilities, allowing malicious users to conduct fraud and forgery attacks. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch4 of the openssl package, and version 0.9.7k-3.1etch2 of the openssl097 package. For the unstable distribution (sid), this problem has been fixed in version 0.9.8g-15. The testing distribution (lenny) will be fixed soon. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.dsc Size/MD5 checksum: 1069 fb69818a28ead5b3026dcafc1f5e92d5 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz Size/MD5 checksum: 3313857 78454bec556bcb4c45129428a766c886 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.diff.gz Size/MD5 checksum: 56230 ad913155fe55d659741976a1be02ee48 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz Size/MD5 checksum: 3292692 be6bba1d67b26eabb48cf1774925416f http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.diff.gz Size/MD5 checksum: 34518 845a986c8a5170953c1e88c2d9965176 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.dsc Size/MD5 checksum: 1107 fd0b477d237c473e3f1491e8821b155d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_alpha.deb Size/MD5 checksum: 2561904 e0499757c84819b0cb4919de45e733c4 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_alpha.deb Size/MD5 checksum: 3822008 a63ea4834f1be21cf7dacd7a60817914 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_alpha.deb Size/MD5 checksum: 2209796 1d008a2d9fcb466c0e1393fd6cf1dced http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_alpha.deb Size/MD5 checksum: 4558410 af0dcd956ae91457c01c5152bea8c775 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_alpha.deb Size/MD5 checksum: 1026098 957ee2ef34a7aa24c41903eea6d1db51 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_alpha.deb Size/MD5 checksum: 2621108 d42a2d70f27723a8dc9aab1dfb83ad10 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_alpha.udeb Size/MD5 checksum: 677162 039dd8968e77f09312fc4e502601b6fe amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_amd64.deb Size/MD5 checksum: 891116 0d771317a58430e6ecea1e38e6889ef4 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_amd64.udeb Size/MD5 checksum: 580208 f08c5d2e4649dd9f077b440d3cd35963 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_amd64.deb Size/MD5 checksum: 1655264 ec946f04aa2fae3a001be8c7ae330839 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_amd64.deb Size/MD5 checksum: 753788 e5521b844646e69b1b8f2daa872b83b8 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_amd64.deb Size/MD5 checksum: 992378 417077b8de5a56b9dad0667f2ab5b6e2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_amd64.deb Size/MD5 checksum: 2178820 effca1afcd65d7e418f3cb75dd875b1d http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_amd64.deb Size/MD5 checksum: 1326428 670a34f7c39343a7939ba43c4658821c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_hppa.deb Size/MD5 checksum: 1586088 66b4b504f0e67fc74c9a98e1f6e8cbac http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_hppa.deb Size/MD5 checksum: 1274896 2dc2191758d272e05461f574bd50031b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_hppa.deb Size/MD5 checksum: 1030994 cfe12740f5f0492a05646851dc042ba8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_hppa.deb Size/MD5 checksum: 945354 e001f9834b3a7fbfd69963118afc7922 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_hppa.deb Size/MD5 checksum: 793836 489e8472b5b300e2627cd25be399f42f http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_hppa.udeb Size/MD5 checksum: 631120 18fb83375c2b5a6689703c1219ad4f65 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_hppa.deb Size/MD5 checksum: 2248436 0c045e8c6dcc0ee3e89d1808b3818eed i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_i386.deb Size/MD5 checksum: 2285788 a1b0456725a0ca95457c74672a235097 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_i386.deb Size/MD5 checksum: 1015498 04dd57145bc4d8fbd728bba329e7dc72 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_i386.udeb Size/MD5 checksum: 554698 e30b6a20efd74af8bbd5bfb5e9241113 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_i386.deb Size/MD5 checksum: 2721068 abec8c0872781f622454d14ae4e39bad http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_i386.deb Size/MD5 checksum: 4646314 e0a3f1a4d622f7a6a8886bb1bdf56bbe http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_i386.deb Size/MD5 checksum: 2094162 fe95acfa9d541760bbb0c0ed86982bcb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_i386.deb Size/MD5 checksum: 5582804 aa194f9d43a3890d810e81086b4ee473 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_ia64.deb Size/MD5 checksum: 1263564 be2a79505ff0ae08e19c8ceeafdf7a08 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_ia64.deb Size/MD5 checksum: 2593624 3a198fb3a4a51e81340d2a1175766c91 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_ia64.deb Size/MD5 checksum: 1569658 4dbd1a9c3f4d0fe2b8906a8555e26105 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_ia64.deb Size/MD5 checksum: 1071264 45a62ed67f0ad2168cab559b45aa7de6 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_ia64.deb Size/MD5 checksum: 1192358 c28adf2245854e3b368d7f88590fc730 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_ia64.udeb Size/MD5 checksum: 801742 ce515f87f93a6364b22f94c5840a4729 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_ia64.deb Size/MD5 checksum: 1010004 4222d05c1eb0ce929c68f7c8cc11ecd3 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mips.deb Size/MD5 checksum: 1693440 29a8f61c5cfb619d20235fb91cf9ff3b http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mips.udeb Size/MD5 checksum: 580128 fc3af402963b6fa4d24b89a4afcd8bc3 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mips.deb Size/MD5 checksum: 876210 f87b4773e3c70539302f5af3b51800b9 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mips.deb Size/MD5 checksum: 993434 02a232c80759b81c67df2e6e6a2cca26 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mips.deb Size/MD5 checksum: 2258938 be0d32157248efd6f87f450630ce22ef mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mipsel.deb Size/MD5 checksum: 992856 85a14404d0cae1d5100721d014d5ee29 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mipsel.deb Size/MD5 checksum: 2255990 1bd0adee660543138600882fc2e42d81 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mipsel.deb Size/MD5 checksum: 1649560 22c06f600378978e094230c172db8ca4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mipsel.deb Size/MD5 checksum: 860700 bc11dc6212a74c8ca4bf6d314f929dff http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_mipsel.deb Size/MD5 checksum: 718942 4ad8442b8812dfe2fd4fcbe06591c3c2 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_mipsel.deb Size/MD5 checksum: 1317060 1d35b7e67204b5b31ab16c2514c69e02 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mipsel.udeb Size/MD5 checksum: 566226 1300061de87860cdf5ecfaeb26839c5f powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_powerpc.deb Size/MD5 checksum: 743386 7e189844da3112f289ff8f96458b7d6e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_powerpc.deb Size/MD5 checksum: 1002204 24f2f0ec4aa965ff9057f7055322b70e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_powerpc.deb Size/MD5 checksum: 1728492 6074f055c8257f19962341a29c0dc1c2 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_powerpc.deb Size/MD5 checksum: 1382114 41b6f5900e7a6361625a7fde3329d389 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_powerpc.deb Size/MD5 checksum: 895634 495901098cb75b870810b6abcb82c187 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_powerpc.deb Size/MD5 checksum: 2210874 5b27bc4f2f2fc1c15957242a383b9921 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_powerpc.udeb Size/MD5 checksum: 585332 5cb7f5d282dd56d2825253006fc4ac29 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_s390.deb Size/MD5 checksum: 1317066 0e843e8f68a84557d8f9306c61609283 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_s390.deb Size/MD5 checksum: 2193894 d3d5eeb042d82e5b383177e08136b3cc http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_s390.deb Size/MD5 checksum: 951570 621f50aae93efdd5c31a94071e93eaa9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_s390.deb Size/MD5 checksum: 1633204 4e6a635c45caa90a0f28f58286b5b2bf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_s390.deb Size/MD5 checksum: 1014480 639c707aed6efc331f1c3b6b14322ee0 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_s390.deb Size/MD5 checksum: 794236 3bc1224270f26fb7b85eae99b18a1e97 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_s390.udeb Size/MD5 checksum: 643020 41a09437ea5130fe0daed09edd4e6423 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_sparc.udeb Size/MD5 checksum: 539054 4807d481d7878ea7032d7aa9747e95e0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_sparc.deb Size/MD5 checksum: 2124310 91c54b669eae9e38ae65486d5f082c6b http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_sparc.deb Size/MD5 checksum: 3418866 a6805a9c7125b04e0c226b2a90c9d5d2 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_sparc.deb Size/MD5 checksum: 1801340 af40fbabcf27d1c8a81d18f3e3d4ac4d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_sparc.deb Size/MD5 checksum: 2113338 c5e7dd09e9c4133e9a06a286ace5b7ed http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_sparc.deb Size/MD5 checksum: 1020946 713c98cac975ec8c0c64c96812353f82 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_sparc.deb Size/MD5 checksum: 4089498 b1c0f345c3d51a9dea6dd07a003e6e4e These files will probably be moved into the stable distribution on its next update. HP System Management Homepage (SMH) before v3.0.1.73 running on Linux and Windows 2003, 2008. OpenSSL Security Advisory [07-Jan-2009] Incorrect checks for malformed signatures =========================================== Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. This issue affected the signature checks on DSA and ECDSA keys used with SSL/TLS. This vulnerability is tracked as CVE-2008-5077. The OpenSSL security team would like to thank the Google Security Team for reporting this issue. Who is affected? ================= Everyone using OpenSSL releases prior to 0.9.8j as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key. Use of OpenSSL as an SSL/TLS client when connecting to a server whose certificate uses an RSA key is NOT affected. Verification of client certificates by OpenSSL servers for any key type is NOT affected. Recommendations for users of OpenSSL ===================================== Users of OpenSSL 0.9.8 should update to the OpenSSL 0.9.8j release which contains a patch to correct this issue. The patch used is also appended to this advisory for users or distributions who wish to backport this patch to versions they build from source. Recommendations for projects using OpenSSL =========================================== Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled. As documented, this function returns 1 for a successful verification, 0 for failure, and -1 for an error. General recommendations ======================== Any server that has clients using OpenSSL verifying DSA or ECDSA certificates, regardless of the software used by the server, should either ensure that all clients are upgraded or stop using DSA/ECDSA certificates. Note that unless certificates are revoked (and clients check for revocation) impersonation will still be possible until the certificate expires. References =========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20090107.txt diff -ur openssl-0.9.8i-ORIG/apps/speed.c openssl-0.9.8i/apps/speed.c --- openssl-0.9.8i/apps/speed.c 2007-11-15 13:33:47.000000000 +0000 +++ openssl-0.9.8i/apps/speed-new.c 2008-12-04 00:00:00.000000000 +0000 @@ -2132,7 +2132,7 @@ { ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]); - if (ret == 0) + if (ret <= 0) { BIO_printf(bio_err, "RSA verify failure\n"); diff -ur openssl-0.9.8i-ORIG/apps/spkac.c openssl-0.9.8i/apps/spkac.c --- openssl-0.9.8i-ORIG/apps/spkac.c 2005-04-05 19:11:18.000000000 +0000 +++ openssl-0.9.8i/apps/spkac.c 2008-12-04 00:00:00.000000000 +0000 @@ -285,7 +285,7 @@ pkey = NETSCAPE_SPKI_get_pubkey(spki); if(verify) { i = NETSCAPE_SPKI_verify(spki, pkey); - if(i) BIO_printf(bio_err, "Signature OK\n"); + if (i > 0) BIO_printf(bio_err, "Signature OK\n"); else { BIO_printf(bio_err, "Signature Failure\n"); ERR_print_errors(bio_err); diff -ur openssl-0.9.8i-ORIG/apps/verify.c openssl-0.9.8i/apps/verify.c --- openssl-0.9.8i-ORIG/apps/verify.c 2004-11-29 11:28:07.000000000 +0000 +++ openssl-0.9.8i/apps/verify.c 2008-12-04 00:00:00.600000000 +0000 @@ -266,7 +266,7 @@ ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -367,4 +367,3 @@ ERR_clear_error(); return(ok); } - diff -ur openssl-0.9.8i-ORIG/apps/x509.c openssl-0.9.8i/apps/x509.c --- openssl-0.9.8i-ORIG/apps/x509.c 2007-10-12 00:00:10.000000000 +0000 +++ openssl-0.9.8i/apps/x509.c 2008-12-04 00:00:00.400000000 +0000 @@ -1151,7 +1151,7 @@ /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); - if (!reqfile && !X509_verify_cert(&xsc)) + if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca,pkey)) diff -ur openssl-0.9.8i-ORIG/crypto/cms/cms_sd.c openssl-0.9.8i/crypto/cms/cms_sd.c --- openssl-0.9.8i-ORIG/crypto/cms/cms_sd.c 2008-04-06 16:30:38.000000000 +0000 +++ openssl-0.9.8i/crypto/cms/cms_sd.c 2008-12-04 00:00:00.400000000 +0000 @@ -830,7 +830,7 @@ cms_fixup_mctx(&mctx, si->pkey); r = EVP_VerifyFinal(&mctx, si->signature->data, si->signature->length, si->pkey); - if (!r) + if (r <= 0) CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); err: EVP_MD_CTX_cleanup(&mctx); diff -ur openssl-0.9.8i-ORIG/ssl/s2_clnt.c openssl-0.9.8i/ssl/s2_clnt.c --- openssl-0.9.8i-ORIG/ssl/s2_clnt.c 2007-09-06 12:43:53.000000000 +0000 +++ openssl-0.9.8i/ssl/s2_clnt.c 2008-12-04 00:00:00.100000000 +0000 @@ -1044,7 +1044,7 @@ i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; diff -ur openssl-0.9.8i-ORIG/ssl/s2_srvr.c openssl-0.9.8i/ssl/s2_srvr.c --- openssl-0.9.8i-ORIG/ssl/s2_srvr.c 2007-09-06 12:43:53.000000000 +0000 +++ openssl-0.9.8i/ssl/s2_srvr.c 2008-12-04 00:00:00.900000000 +0000 @@ -1054,7 +1054,7 @@ i=ssl_verify_cert_chain(s,sk); - if (i) /* we like the packet, now check the chksum */ + if (i > 0) /* we like the packet, now check the chksum */ { EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; @@ -1083,7 +1083,7 @@ EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); - if (i) + if (i > 0) { if (s->session->peer != NULL) X509_free(s->session->peer); diff -ur openssl-0.9.8i-ORIG/ssl/s3_clnt.c openssl-0.9.8i/ssl/s3_clnt.c --- openssl-0.9.8i-ORIG/ssl/s3_clnt.c 2008-06-16 16:56:41.000000000 +0000 +++ openssl-0.9.8i/ssl/s3_clnt.c 2008-12-04 00:00:00.100000000 +0000 @@ -972,7 +972,7 @@ } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) @@ -1459,7 +1459,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; @@ -1477,7 +1477,7 @@ EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; diff -ur openssl-0.9.8i-ORIG/ssl/s3_srvr.c openssl-0.9.8i/ssl/s3_srvr.c --- openssl-0.9.8i-ORIG/ssl/s3_srvr.c 2008-09-14 18:16:09.000000000 +0000 +++ openssl-0.9.8i/ssl/s3_srvr.c 2008-12-04 00:00:00.100000000 +0000 @@ -2560,7 +2560,7 @@ else { i=ssl_verify_cert_chain(s,sk); - if (!i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); diff -ur openssl-0.9.8i-ORIG/ssl/ssltest.c openssl-0.9.8i/ssl/ssltest.c --- openssl-0.9.8i-ORIG/ssl/ssltest.c 2008-06-16 16:56:42.000000000 +0000 +++ openssl-0.9.8i/ssl/ssltest.c 2008-12-04 00:00:00.900000000 +0000 @@ -2093,7 +2093,7 @@ if (cb_arg->proxy_auth) { - if (ok) + if (ok > 0) { const char *cond_end = NULL; . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01706219 Version: 1 HPSBUX02418 SSRT090002 rev.1 - HP-UX Running OpenSSL, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-03-31 Last Updated: 2009-03-30 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running OpenSSL. The vulnerability could be exploited remotely to allow an unauthorized access. References: CVE-2008-5077 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running OpenSSL BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2008-5077 (AV:R/AC:L/Au:N/C:N/I:P/A:N) 5.0 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following patches to resolve this vulnerability. The patches are available from the following location: URL: http://software.hp.com HP-UX Release HP-UX OpenSSL version B.11.11 (11i v1) A.00.09.07m.046 B.11.23 (11i v2) A.00.09.07m.047 B.11.31 (11i v3) A.00.09.08j.003 MANUAL ACTIONS: Yes - Update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.046 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.001 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.046 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.047 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.002 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.07m.047 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== fips_1_1_2.FIPS-CONF fips_1_1_2.FIPS-DOC fips_1_1_2.FIPS-INC fips_1_1_2.FIPS-LIB fips_1_1_2.FIPS-MAN fips_1_1_2.FIPS-MIS fips_1_1_2.FIPS-RUN fips_1_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.1.2.048 or subsequent fips_1_2.FIPS-CONF fips_1_2.FIPS-DOC fips_1_2.FIPS-INC fips_1_2.FIPS-LIB fips_1_2.FIPS-MAN fips_1_2.FIPS-MIS fips_1_2.FIPS-RUN fips_1_2.FIPS-SRC action: install revision FIPS-OPENSSL-1.2.003 or subsequent openssl.OPENSSL-CER openssl.OPENSSL-CONF openssl.OPENSSL-DOC openssl.OPENSSL-INC openssl.OPENSSL-LIB openssl.OPENSSL-MAN openssl.OPENSSL-MIS openssl.OPENSSL-PRNG openssl.OPENSSL-PVT openssl.OPENSSL-RUN openssl.OPENSSL-SRC action: install revision A.00.09.08j.003 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 31 March 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSdNBjeAfOvwtKn1ZEQI07wCg4iu1Jn5I5OInhZq8nYL+a/9MT2UAoPGR gTd3Vf2bK3bnrFOIBFl0/t75 =vt7j -----END PGP SIGNATURE----- . At the request of the OpenSSL team, oCERT has aided in the remediation coordination for other projects with similar API misuse vulnerabilities. In addition to EVP_VerifyFinal, the return codes from DSA_verify and DSA_do_verify functions were being incorrectly validated, and packages doing so are affected in a similar fashion as OpenSSL. NTP <= 4.2.4p5 (production), <= 4.2.5p150 (development) Sun GridEngine <= 5.3 Gale <= 0.99 OpenEvidence <= 1.0.6 Belgian eID middleware - eidlib <= 2.6.0 [2] Freedom Network Server <= 2.x The following packages were identified as affected by a vulnerability similar to the OpenSSL one, as they use OpenSSL DSA_verify function and incorrectly check the return code. 2 - Belgian eID middleware latest versions are not available in source form, therefore we cannot confirm if they are affected Fixed version: OpenSSL >= 0.9.8j NTP >= 4.2.4p6 (production), >= 4.2.5p153 (development) Sun GridEngine >= 6.0 Gale N/A OpenEvidence N/A Belgian eID middleware - eidlib N/A Freedom Network Server N/A BIND >= 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1 Lasso >= 2.2.2 ZXID N/A Credit: Google Security Team (for the original OpenSSL issue). CVE: CVE-2008-5077 (OpenSSL), CVE-2009-0021 (NTP), CVE-2009-0025 (BIND) Timeline: 2008-12-16: OpenSSL Security Team requests coordination aid from oCERT 2008-12-16: oCERT investigates packages affected by similar issues 2008-12-16: contacted affected vendors 2008-12-17: investigation expanded to DSA verification 2008-12-17: BIND, Lasso and ZXID added to affected packages 2008-12-18: contacted additional affected vendors 2009-01-05: status updates and patch dissemination to affected vendors 2009-01-05: confirmation from BIND of issue and fix 2009-01-06: requested CVE assignment for BIND 2009-01-07: advisory published References: http://openssl.org/news/secadv_20090107.txt Links: http://openssl.org/ http://www.ntp.org/ http://gridengine.sunsource.net/ http://gale.org/ http://www.openevidence.org/ http://eid.belgium.be/ http://www.google.com/codesearch/p?#1vGzyQX--LU/achilles/remailer/zero-knowledge/freedomserver-2.x.tgz/ https://www.isc.org/products/BIND http://lasso.entrouvert.org/ http://www.zxid.org/ Permalink: http://www.ocert.org/advisories/ocert-2008-016.html -- Will Drewry <redpig@ocert.org> oCERT Team :: http://ocert.org . Background ========== ntp contains the client and daemon implementations for the Network Time Protocol. The updated packages have been patched to prevent this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 6585e08eab279e6a249630385683bf43 2008.0/i586/libopenssl0.9.8-0.9.8e-8.2mdv2008.0.i586.rpm b5955c2c0a2cc24abd9f5f3ebc7d0148 2008.0/i586/libopenssl0.9.8-devel-0.9.8e-8.2mdv2008.0.i586.rpm 7c92323d7aa583b936ef908f3f6ac867 2008.0/i586/libopenssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.i586.rpm 2b791168311c3ecba4f8b7acd24e64ab 2008.0/i586/openssl-0.9.8e-8.2mdv2008.0.i586.rpm cf51c48e4c05ac5357f6076fbaeff0a5 2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 6259ac00622227eee59f888bc516bc3a 2008.0/x86_64/lib64openssl0.9.8-0.9.8e-8.2mdv2008.0.x86_64.rpm fe745327c1bbb599e025a5b90bb05817 2008.0/x86_64/lib64openssl0.9.8-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm bdb7113b06aab0c4d77cbf86bcf208c2 2008.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8e-8.2mdv2008.0.x86_64.rpm d4fda198a80b88c7caaf947af0866df8 2008.0/x86_64/openssl-0.9.8e-8.2mdv2008.0.x86_64.rpm cf51c48e4c05ac5357f6076fbaeff0a5 2008.0/SRPMS/openssl-0.9.8e-8.2mdv2008.0.src.rpm Mandriva Linux 2008.1: 4a0be98cd3fb82a22e3836c5ae81ed37 2008.1/i586/libopenssl0.9.8-0.9.8g-4.2mdv2008.1.i586.rpm 277058ecc1d26d24bf4da5ea27d4a31f 2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.2mdv2008.1.i586.rpm 29b08a5a233f1987c4ca98aaa4e97ac5 2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.i586.rpm e47be879abc0c089a8f380469a6a62c8 2008.1/i586/openssl-0.9.8g-4.2mdv2008.1.i586.rpm 7395d0e10c1938be16261baba05da55c 2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 71a69804b928a9f7856f65fee332c5ab 2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.2mdv2008.1.x86_64.rpm e9c5d1d4895a5a679945bde62df6f988 2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm 7f2d66839f93e2083dcd1b1f27ca4ddf 2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.2mdv2008.1.x86_64.rpm 40408ffdf13faa6c79b28c764bb88b22 2008.1/x86_64/openssl-0.9.8g-4.2mdv2008.1.x86_64.rpm 7395d0e10c1938be16261baba05da55c 2008.1/SRPMS/openssl-0.9.8g-4.2mdv2008.1.src.rpm Mandriva Linux 2009.0: 2512f6a41e9a8e7bcff53e5737029689 2009.0/i586/libopenssl0.9.8-0.9.8h-3.1mdv2009.0.i586.rpm d7774faaed2866da5bb05cbcf07604da 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.1mdv2009.0.i586.rpm ed99160bdf1ce33fa81dc47c71915318 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.i586.rpm 6116fafed014596ee1e6ec43db93133f 2009.0/i586/openssl-0.9.8h-3.1mdv2009.0.i586.rpm 8ad6b0d8aff3bb992d716668450aef3a 2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: d2cc04fc0bdaeea8e4cc5d7ab4e997fd 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.1mdv2009.0.x86_64.rpm b537da3113c75f87c4fa8d66be2d6797 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm ef9add2bec302b324b9c0690cf79b57c 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.1mdv2009.0.x86_64.rpm 16b8c11f4d6dedf2e4176bfc55607c15 2009.0/x86_64/openssl-0.9.8h-3.1mdv2009.0.x86_64.rpm 8ad6b0d8aff3bb992d716668450aef3a 2009.0/SRPMS/openssl-0.9.8h-3.1mdv2009.0.src.rpm Corporate 3.0: 5e8f4b7c1e646d0e16af2d83238a011b corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm 5115d911b9a6842fd0c3495429c7c2f2 corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.9.C30mdk.i586.rpm b934b4f9686deef6cb1eba750ab36288 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.i586.rpm 11ec8a4df261d4d4fa9957d33be08604 corporate/3.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm dcd1a4feb1a04302c54465dce7c7c506 corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm Corporate 3.0/X86_64: 64521521330df90b42c9c37cafe50b54 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.9.C30mdk.x86_64.rpm 3a85c30c0511e42ec76c80e08efe5192 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.9.C30mdk.x86_64.rpm 12af66f30c5022d8d29b57a9131458c3 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.9.C30mdk.x86_64.rpm 62f5c54be99ddc9458670ae04b24d3f0 corporate/3.0/x86_64/openssl-0.9.7c-3.9.C30mdk.x86_64.rpm dcd1a4feb1a04302c54465dce7c7c506 corporate/3.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm Corporate 4.0: 60c64d9ead2b01fb39058a705fcb95dc corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.7.20060mlcs4.i586.rpm fb4d5555c211b375707bf7d194e74776 corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.i586.rpm c13ff967b4310e5a790e85595f940b7e corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.i586.rpm e9a96a389c00ee674d689e3747c3e501 corporate/4.0/i586/openssl-0.9.7g-2.7.20060mlcs4.i586.rpm 4df38ebd98b467bdee0d4a24d3b0158f corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm Corporate 4.0/X86_64: de71d0bbc98589afdf03b7a99aad7103 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.7.20060mlcs4.x86_64.rpm 0c330148b55987e50f491c7e4d3b65a5 corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm ce64720b2685fada3e88a5725c43b532 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.7.20060mlcs4.x86_64.rpm 29f0f40602184d7f366e1d1d8e5c03e4 corporate/4.0/x86_64/openssl-0.9.7g-2.7.20060mlcs4.x86_64.rpm 4df38ebd98b467bdee0d4a24d3b0158f corporate/4.0/SRPMS/openssl-0.9.7g-2.7.20060mlcs4.src.rpm Multi Network Firewall 2.0: 74a4beac1c01f9fd888dd5eea356f7be mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.9.C30mdk.i586.rpm c809a08f26051c7a3931ccda00c94429 mnf/2.0/i586/openssl-0.9.7c-3.9.C30mdk.i586.rpm 8ae9f7004b77dca2317980ba4215dc92 mnf/2.0/SRPMS/openssl-0.9.7c-3.9.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJZqIYmqjQ0CJFipgRAqRNAKDNNvWgsIk0/eh5f8539zOJ7dtnnQCeJezP ZE8i9Ju80WcdhXe9yIoPevE= =9n1t -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: OpenSSL: Certificate validation error Date: February 12, 2009 Bugs: #251346 ID: 200902-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== An error in the OpenSSL certificate chain validation might allow for spoofing attacks. Background ========== OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. Impact ====== A remote attacker could exploit this vulnerability and spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information. Workaround ========== There is no known workaround at this time. Resolution ========== All OpenSSL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8j" References ========== [ 1 ] CVE-2008-5077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200902-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-704-1 January 07, 2009 openssl vulnerability CVE-2008-5077 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.6 openssl 0.9.8a-7ubuntu0.6 Ubuntu 7.10: libssl0.9.8 0.9.8e-5ubuntu3.3 openssl 0.9.8e-5ubuntu3.3 Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.4 openssl 0.9.8g-4ubuntu3.4 Ubuntu 8.10: libssl0.9.8 0.9.8g-10.1ubuntu2.1 openssl 0.9.8g-10.1ubuntu2.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.diff.gz Size/MD5: 50783 396d2184fcb5130f410d08abc6b7330c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.dsc Size/MD5: 822 64ee2faa7018f771f6ebe9d46f3b0a99 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_amd64.udeb Size/MD5: 571736 e7a9c7893a6d858465b9baae1de69de6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 2167724 ec495fd3402eb1dec0a1ce6594bdb7b3 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 1682634 9e310c2bcd01bfe4c0c5992252741a6a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 875434 cb8096f3befae3931c17ccbb0ccf0496 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_amd64.deb Size/MD5: 984764 214c03461736f5b2ed744069d833db86 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_i386.udeb Size/MD5: 509508 df64bbeaa01e1e3128ecf319e8bdcd52 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 2024104 130c24c04244403953e63f77b52f4f38 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 5053036 1e9f9310bc70e06f96d93b486d2fc486 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 2595612 57b9b8fa2e9aa7e327ec77ce5ac6d422 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_i386.deb Size/MD5: 976318 b1cc97035bec3309bbbe270da1a5a5e8 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_powerpc.udeb Size/MD5: 557892 c4e0970fc419674173fb6b0e299c91c8 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 2181796 46a9ea8bf00476fd33d598ceca33c84f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 1727402 2cc9be011c97e233490445696341aaec http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 861910 0e58b30e47c25a46f112d6481a1c5a35 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_powerpc.deb Size/MD5: 980576 f2855029ed59ed4b7226cb2fe06e3f7e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_sparc.udeb Size/MD5: 530818 d7d206110c0dbb2c4e7298f6b9303af1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 2093166 78a7da03db8f01a3b6d7dfba5fb44198 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 3942670 8ee3f109488992bb0d01d06e4088ff30 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 2091522 ea6cf49b21d8ba82ab24af3ee567068b http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_sparc.deb Size/MD5: 988638 ce46e30741dacb282c4f1b446f84ab23 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.diff.gz Size/MD5: 58877 e62d5901d69b5b871f90e04d9acf521e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.dsc Size/MD5: 958 b1c17ee608e6bc7d07fa4623201f3a7c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e.orig.tar.gz Size/MD5: 3341665 3a7ff24f6ea5cd711984722ad654b927 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_amd64.udeb Size/MD5: 608584 c481816fbc6c299a00b80a3cb4af246f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 2065274 c4a1d6af5d0f1190052e6a3c758e9abb http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 1644192 aa30118c7c95dcfe5556ec12d7add5d6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 929024 6d28c88e967291c00764b22831b8924e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_amd64.deb Size/MD5: 877802 84c0139ce5dd16fb927ad358e7381548 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_i386.udeb Size/MD5: 571798 c607dc9f23b135daff01e22504c16fab http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 1943350 19f8d4104d2e295ba4a2f439f44e20ee http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 5520624 a21d311ccde9661b3e8f06ba55cbef3e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 2825690 c3c7d55d3795d52b06284f0caa99d3a1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_i386.deb Size/MD5: 872044 aeb4f6b72d07cc2a976a18cf93a367dd lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_lpia.udeb Size/MD5: 537248 b07db5071f9ff8914a2d40d6e20ffb41 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 1922002 e9b23815db3e2e64f46d719b51cce2f4 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 1557272 ae70a0bb736343fe718bf0d35a3b32d9 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 836726 b9b1f8206ba21fb9dde3f980c86d24f8 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_lpia.deb Size/MD5: 876574 7839e291a551899242a4dc2f5b8d9f35 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_powerpc.udeb Size/MD5: 618004 7a9f02ca9b67ebc512a6f9e38a80dc26 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 2093146 1d5f7c1c9af62423a04efedd7d38a913 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 1705258 342ae884bd21bcddec45c9b8eabac551 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 945950 9675de35a318feb0078a96896595967c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_powerpc.deb Size/MD5: 886178 9c581cd1ca63f80bb8a9d5832942a153 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_sparc.udeb Size/MD5: 565190 2c2a71fcb2e872cabaeb7d4ae7a20259 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 1987290 2eced2b5c5554f981a61ad6d6afb189a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 4050004 9ab3d6baf7aaaa6c0268f4be69f0a1a9 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 2221122 d210d67192ddfde087aecc66791d2932 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_sparc.deb Size/MD5: 887274 52fd404eb494c0e0b371c7428552196a Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.diff.gz Size/MD5: 54265 48ab0fa9c3683e86643241b94cbbd39a http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.dsc Size/MD5: 920 896ab79ea689efeb2de3e02dc0fc6c3d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-4ubuntu3.4_all.deb Size/MD5: 628902 af428e77b048f9b563dbf3b6e03c7b77 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_amd64.udeb Size/MD5: 603882 7cab435930aed7cc81635af1f9186c72 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 2064750 5655eeabb4f5394c6fa9e066104829fe http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 1604310 437124745340c62fb91eb330dd13e26c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 931554 27a5fcd27928f903c555f1c52038db0c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_amd64.deb Size/MD5: 390620 788d2703d3e67348a628054beb912ed3 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_i386.udeb Size/MD5: 564676 019f31865013411c760e4ab851e89e17 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 1941970 eb1e998c368a67901f8dc24e7f7c8a6f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 5341460 652d0ec4bf5f9eac14670c2f439beda4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 2828564 a2ce3d2beb2c38d33dd94f04f2191883 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_i386.deb Size/MD5: 385434 836f3086e428903ccb04c28494ea0041 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_lpia.udeb Size/MD5: 535450 be4c24bff72025ce0c6c6394fba68fd5 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 1922618 a65ff52eb395b40c14f7fc18ea41ad7d http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 1512528 458077dda55faeaf239ee3a47299c609 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 843082 fc0918a82913ea636d087278f3e96fa7 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_lpia.deb Size/MD5: 390018 8faf10bc8b6d4fa531def5446e66dee1 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_powerpc.udeb Size/MD5: 610282 dc8839e3ff9862b80b862285ef984e9f http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 2077956 2bac2aea99e1e0096220f94036883f5e http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 1639618 4a18538a4b3ba94b78d9c7cea49a6b07 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 944878 fb6aa227b8609ffde3242b4f5fc6116f http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_powerpc.deb Size/MD5: 399202 cb99c081fd9f48e5a40df713ae651e88 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_sparc.udeb Size/MD5: 559654 b84fa24de0b7aada1ba92eb57405d92f http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 1984540 16585659f3a14e89470a5f00fd4f42ba http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 3873894 fc78d170a38cbddf9e3535cb353d52b3 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 2241644 177559b738e07248aff683e93fe9b82b http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_sparc.deb Size/MD5: 397818 652f57d5f54161a5e0ad5c79617b0879 Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.diff.gz Size/MD5: 55754 c957bd1ff8a8500f842e20234143c351 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.dsc Size/MD5: 1334 0dd1b68e9c2f1caefc82dd0fc2b92648 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5: 3354792 acf70a16359bf3658bdfb74bda1c4419 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-10.1ubuntu2.1_all.deb Size/MD5: 628628 c4f6300e39b5949d7ef8cb13f7054214 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_amd64.udeb Size/MD5: 622186 bc90e5f8db699789fc7aa72d42e57371 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 2109722 a7dc60dd48c1ec1656cbb909c456d960 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 1685202 25e62ee915d832d604890addbaa122ea http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 957898 115151c119f55d0907593883f877daa3 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_amd64.deb Size/MD5: 404030 b7ea3332ca29746237f2b661c91e89b1 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_i386.udeb Size/MD5: 578654 c1afb78788aee9b1d87b9fe9cc3f84cd http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 1980648 352cdc3d1ec18714ed69a0e994ad3a34 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 5604978 2d964cdf8c4f11d7407a614c23cfee3d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 2920048 a9073edf1c235cf3919c09a0ab5718f4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_i386.deb Size/MD5: 398652 7f7fba957c5f1e3071275a38671acf25 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_lpia.udeb Size/MD5: 547384 30f57b3c8dde980d1e46c4c26d8ad561 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 1958092 2560aaf556ba47a934092635ba0d8d2f http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 1578834 05f9e7736ccd10d80e6953e2fe094fa1 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 862680 d298ef88cef3c47b0e90e0f1a9181a40 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_lpia.deb Size/MD5: 400640 215b80cc7bb02cc24f2086dc5baa6217 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_powerpc.udeb Size/MD5: 623176 85a1d24d89ea4c34cc9a54b568b5bc58 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 2120282 3c16c677ad334913d82080fd41f25daf http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 1704334 ec55dbd174914d100a625a601d5c8d6c http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 964578 3f207d7b34494f01d1cb3448825af9e5 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_powerpc.deb Size/MD5: 402660 cc80ae7e798e4b46f9882ad31d2e7cc9 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_sparc.udeb Size/MD5: 567580 bd1a38ca852a485c76d434c619766e30 http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 2013344 6eec2f31c3d94e19eeb57f1008030a80 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 4038260 5c9cc4e498dac03b1d8664840c62e0d7 http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 2284620 317c30221db0bb66c0703c40694d9485 http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_sparc.deb Size/MD5: 406750 8542831a114aaff62e62021bbc8d028b

Trust: 2.25

sources: NVD: CVE-2008-5077 // CNVD: CNVD-2010-0376 // PACKETSTORM: 73756 // PACKETSTORM: 77647 // PACKETSTORM: 73659 // PACKETSTORM: 76268 // PACKETSTORM: 73658 // PACKETSTORM: 76379 // PACKETSTORM: 73698 // PACKETSTORM: 74909 // PACKETSTORM: 73669

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2010-0376

AFFECTED PRODUCTS

vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.3	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.1c	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.5	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.3a	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.2b	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.4	Trust: 1.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7b	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6l	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8d	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.5a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7g	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6i	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8e	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8g	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6f	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7k	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6d	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6c	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7e	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7c	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7j	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7d	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6k	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7f	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6b	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6m	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8b	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6g	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6e	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7h	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7l	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6h	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8f	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.7i	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8c	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	lte	version:	0.9.8h	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.6j	Trust: 1.0
vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	openssl	model:	openssl	scope:	eq	version:	0.9.8h	Trust: 0.6

sources: CNVD: CNVD-2010-0376 // CNNVD: CNNVD-200901-055 // NVD: CVE-2008-5077

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-5077
value:	MEDIUM
Trust: 1.0
CNNVD:	CNNVD-200901-055
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2008-5077
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0

sources: CNNVD: CNNVD-200901-055 // NVD: CVE-2008-5077

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.0

sources: NVD: CVE-2008-5077

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 73659 // PACKETSTORM: 73669 // CNNVD: CNNVD-200901-055

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-200901-055

PATCH

title:

F5 FirePass OpenSSL \"EVP_VerifyFinal()\" Spoofing Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/230

Trust: 0.6

sources: CNVD: CNVD-2010-0376

EXTERNAL IDS

db:	NVD	id:	CVE-2008-5077	Trust: 3.1
db:	OCERT	id:	OCERT-2008-016	Trust: 1.1
db:	SECUNIA	id:	33673	Trust: 1.0
db:	SECUNIA	id:	35108	Trust: 1.0
db:	SECUNIA	id:	33338	Trust: 1.0
db:	SECUNIA	id:	34211	Trust: 1.0
db:	SECUNIA	id:	33557	Trust: 1.0
db:	SECUNIA	id:	33394	Trust: 1.0
db:	SECUNIA	id:	35074	Trust: 1.0
db:	SECUNIA	id:	39005	Trust: 1.0
db:	SECUNIA	id:	33765	Trust: 1.0
db:	SECUNIA	id:	33436	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0558	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0904	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0913	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0040	Trust: 1.0
db:	VUPEN	id:	ADV-2009-1338	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0289	Trust: 1.0
db:	VUPEN	id:	ADV-2009-1297	Trust: 1.0
db:	VUPEN	id:	ADV-2009-0362	Trust: 1.0
db:	BID	id:	33150	Trust: 1.0
db:	SECTRACK	id:	1021523	Trust: 1.0
db:	USCERT	id:	TA09-133A	Trust: 1.0
db:	CNVD	id:	CNVD-2010-0376	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.0696	Trust: 0.6
db:	LENOVO	id:	LEN-24443	Trust: 0.6
db:	CNNVD	id:	CNNVD-200901-055	Trust: 0.6
db:	PACKETSTORM	id:	73756	Trust: 0.1
db:	PACKETSTORM	id:	77647	Trust: 0.1
db:	PACKETSTORM	id:	73659	Trust: 0.1
db:	PACKETSTORM	id:	76268	Trust: 0.1
db:	PACKETSTORM	id:	73658	Trust: 0.1
db:	PACKETSTORM	id:	76379	Trust: 0.1
db:	PACKETSTORM	id:	73698	Trust: 0.1
db:	PACKETSTORM	id:	74909	Trust: 0.1
db:	PACKETSTORM	id:	73669	Trust: 0.1

sources: CNVD: CNVD-2010-0376 // PACKETSTORM: 73756 // PACKETSTORM: 77647 // PACKETSTORM: 73659 // PACKETSTORM: 76268 // PACKETSTORM: 73658 // PACKETSTORM: 76379 // PACKETSTORM: 73698 // PACKETSTORM: 74909 // PACKETSTORM: 73669 // CNNVD: CNNVD-200901-055 // NVD: CVE-2008-5077

REFERENCES

url:	http://www.openssl.org/news/secadv_20090107.txt	Trust: 1.1
url:	http://www.ocert.org/advisories/ocert-2008-016.html	Trust: 1.1
url:	http://security.gentoo.org/glsa/glsa-200902-02.xml	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2009/0913	Trust: 1.0
url:	http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796	Trust: 1.0
url:	http://www.securitytracker.com/id?1021523	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/1338	Trust: 1.0
url:	http://www.vmware.com/security/advisories/vmsa-2009-0004.html	Trust: 1.0
url:	http://marc.info/?l=bugtraq&m=127678688104458&w=2	Trust: 1.0
url:	http://secunia.com/advisories/33394	Trust: 1.0
url:	http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html	Trust: 1.0
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a9155	Trust: 1.0
url:	https://usn.ubuntu.com/704-1/	Trust: 1.0
url:	http://secunia.com/advisories/33338	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/0289	Trust: 1.0
url:	http://marc.info/?l=bugtraq&m=124277349419254&w=2	Trust: 1.0
url:	http://www.securityfocus.com/archive/1/499827/100/0/threaded	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/1297	Trust: 1.0
url:	http://secunia.com/advisories/33765	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/0558	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/0362	Trust: 1.0
url:	http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html	Trust: 1.0
url:	http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1	Trust: 1.0
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a6380	Trust: 1.0
url:	http://secunia.com/advisories/33557	Trust: 1.0
url:	http://www.us-cert.gov/cas/techalerts/ta09-133a.html	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/0040	Trust: 1.0
url:	http://www.redhat.com/support/errata/rhsa-2009-0004.html	Trust: 1.0
url:	http://www.securityfocus.com/bid/33150	Trust: 1.0
url:	http://secunia.com/advisories/35074	Trust: 1.0
url:	http://secunia.com/advisories/34211	Trust: 1.0
url:	http://support.avaya.com/elmodocs2/security/asa-2009-038.htm	Trust: 1.0
url:	http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html	Trust: 1.0
url:	http://lists.apple.com/archives/security-announce/2009/may/msg00002.html	Trust: 1.0
url:	http://secunia.com/advisories/35108	Trust: 1.0
url:	http://secunia.com/advisories/39005	Trust: 1.0
url:	http://marc.info/?l=bugtraq&m=123859864430555&w=2	Trust: 1.0
url:	http://support.apple.com/kb/ht3549	Trust: 1.0
url:	http://www.vupen.com/english/advisories/2009/0904	Trust: 1.0
url:	http://secunia.com/advisories/33436	Trust: 1.0
url:	http://support.nortel.com/go/main.jsp?cscat=bltndetail&id=837653	Trust: 1.0
url:	http://www.securityfocus.com/archive/1/502322/100/0/threaded	Trust: 1.0
url:	http://secunia.com/advisories/33673	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2008-5077	Trust: 0.9
url:	http://www.securityfocus.com/archive/1/archive/1/502322/100/0/threaded	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2022.0696	Trust: 0.6
url:	https://support.lenovo.com/us/en/solutions/len-24443	Trust: 0.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5077	Trust: 0.3
url:	http://www.itrc.hp.com/service/cki/secbullarchive.do	Trust: 0.2
url:	http://h30046.www3.hp.com/driveralertprofile.php?regioncode=na&langcode=useng&jumpid=in_sc-gen__driveritrc&topiccode=itrc	Trust: 0.2
url:	http://h30046.www3.hp.com/subsignin.php	Trust: 0.2
url:	http://bugs.gentoo.org.	Trust: 0.2
url:	http://creativecommons.org/licenses/by-sa/2.5	Trust: 0.2
url:	http://security.gentoo.org/	Trust: 0.2
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_i386.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.dsc	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_amd64.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mipsel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_mipsel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mipsel.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_mipsel.deb	Trust: 0.1
url:	http://www.debian.org/security/faq	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_s390.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_hppa.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_ia64.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_sparc.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mipsel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mipsel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_i386.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mips.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_ia64.deb	Trust: 0.1
url:	http://security.debian.org/	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_s390.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mips.deb	Trust: 0.1
url:	http://www.debian.org/security/	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.diff.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mips.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mips.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_powerpc.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mipsel.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_hppa.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_amd64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_powerpc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_i386.deb	Trust: 0.1
url:	http://packages.debian.org/<pkg>	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.diff.gz	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_alpha.udeb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_sparc.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.dsc	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mips.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_alpha.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_ia64.deb	Trust: 0.1
url:	http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_hppa.deb	Trust: 0.1
url:	http://h20000.www2.hp.com/bizsupport/techsupport/softwaredescription.jsp?switem=mtx-8300d57bb5424791b0e61652e8	Trust: 0.1
url:	http://h20000.www2.hp.com/bizsupport/techsupport/softwaredescription.jsp?switem=mtx-b35b8e125d17427fa8a74e9ef6	Trust: 0.1
url:	http://h20000.www2.hp.com/bizsupport/techsupport/softwaredescription.jsp?switem=mtx-d7bcce2dc82d43daaec308eb40	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-5814	Trust: 0.1
url:	http://software.hp.com	Trust: 0.1
url:	https://www.hp.com/go/swa	Trust: 0.1
url:	http://gridengine.sunsource.net/	Trust: 0.1
url:	https://www.isc.org/products/bind	Trust: 0.1
url:	http://www.openevidence.org/	Trust: 0.1
url:	http://eid.belgium.be/	Trust: 0.1
url:	http://ocert.org	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-0021	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-0025	Trust: 0.1
url:	http://gale.org/	Trust: 0.1
url:	http://www.zxid.org/	Trust: 0.1
url:	http://openssl.org/news/secadv_20090107.txt	Trust: 0.1
url:	http://lasso.entrouvert.org/	Trust: 0.1
url:	http://openssl.org/	Trust: 0.1
url:	http://www.google.com/codesearch/p?#1vgzyqx--lu/achilles/remailer/zero-knowledge/freedomserver-2.x.tgz/	Trust: 0.1
url:	http://www.ntp.org/	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0021	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-0021	Trust: 0.1
url:	http://www.gentoo.org/security/en/glsa/glsa-200902-02.xml	Trust: 0.1
url:	http://security.gentoo.org/glsa/glsa-200904-05.xml	Trust: 0.1
url:	http://www.mandriva.com/security/	Trust: 0.1
url:	http://secunia.com/	Trust: 0.1
url:	http://lists.grok.org.uk/full-disclosure-charter.html	Trust: 0.1
url:	http://www.mandriva.com/security/advisories	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-10.1ubuntu2.1_all.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_sparc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.diff.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.dsc	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_lpia.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_sparc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_sparc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_i386.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_i386.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_sparc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_i386.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_powerpc.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.dsc	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_amd64.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_i386.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_sparc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_amd64.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_sparc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_amd64.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_amd64.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g.orig.tar.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_i386.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9.8g-4ubuntu3.4_all.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_lpia.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3.diff.gz	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8e-5ubuntu3.3_amd64.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_powerpc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.dsc	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4.dsc	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubuntu2.1_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_amd64.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_lpia.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.1_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.6_powerpc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6.diff.gz	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_sparc.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_amd64.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8e-5ubuntu3.3_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_i386.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_lpia.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_powerpc.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_i386.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.4_lpia.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8e-5ubuntu3.3_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu3.4_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.6_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1.diff.gz	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ubuntu3.4_powerpc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.6_amd64.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.1_powerpc.udeb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.4_lpia.udeb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.6_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2.1_amd64.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.6_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubuntu2.1_i386.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8e-5ubuntu3.3_sparc.deb	Trust: 0.1
url:	http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8e-5ubuntu3.3_i386.deb	Trust: 0.1
url:	http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3.4_sparc.deb	Trust: 0.1

CREDITS

Google Security team

Trust: 0.6

sources: CNNVD: CNNVD-200901-055

SOURCES

db:	CNVD	id:	CNVD-2010-0376
db:	PACKETSTORM	id:	73756
db:	PACKETSTORM	id:	77647
db:	PACKETSTORM	id:	73659
db:	PACKETSTORM	id:	76268
db:	PACKETSTORM	id:	73658
db:	PACKETSTORM	id:	76379
db:	PACKETSTORM	id:	73698
db:	PACKETSTORM	id:	74909
db:	PACKETSTORM	id:	73669
db:	CNNVD	id:	CNNVD-200901-055
db:	NVD	id:	CVE-2008-5077

LAST UPDATE DATE

2026-01-20T22:16:38.338000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2010-0376	date:	2010-03-17T00:00:00
db:	CNNVD	id:	CNNVD-200901-055	date:	2022-03-10T00:00:00
db:	NVD	id:	CVE-2008-5077	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2010-0376	date:	2010-03-17T00:00:00
db:	PACKETSTORM	id:	73756	date:	2009-01-12T21:47:55
db:	PACKETSTORM	id:	77647	date:	2009-05-19T23:02:50
db:	PACKETSTORM	id:	73659	date:	2009-01-07T20:21:31
db:	PACKETSTORM	id:	76268	date:	2009-04-01T22:41:01
db:	PACKETSTORM	id:	73658	date:	2009-01-07T20:17:20
db:	PACKETSTORM	id:	76379	date:	2009-04-06T23:59:06
db:	PACKETSTORM	id:	73698	date:	2009-01-09T20:52:12
db:	PACKETSTORM	id:	74909	date:	2009-02-12T21:44:44
db:	PACKETSTORM	id:	73669	date:	2009-01-07T22:42:50
db:	CNNVD	id:	CNNVD-200901-055	date:	2009-01-07T00:00:00
db:	NVD	id:	CVE-2008-5077	date:	2009-01-07T17:30:00.327