Forum: >>> Magnum BBS <<<

[SECURITY] [DSA-2125-1] New openssl packages fix buffer overflow (1/3)

From Stefan Fritsch@1:229/2 to All on Mon Nov 22 21:20:02 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-2125-1 [email protected] http://www.debian.org/security/ Stefan Fritsch November 22, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
Debian Bug : 603709
CVE Id(s) : CVE-2010-3864

A flaw has been found in the OpenSSL TLS server extension code parsing
which on affected servers can be exploited in a buffer overrun attack.
This allows an attacker to cause an appliation crash or potentially to
execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: A server
is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.

This upgrade fixes this issue. After the upgrade, any services using the openssl libraries need to be restarted. The checkrestart script from the debian-goodies package or lsof can help to find out which services need
to be restarted.

A note to users of the tor packages from the Debian backports or Debian volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2, respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.

For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.9.8o-3.

We recommend that you upgrade your openssl packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc
Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz
Size/MD5 checksum: 60451 9aba44ed40b0c9c8ec82bd6cd33c44b8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2583248 3b3f0cbec4ec28eb310466237648db8f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 1028998 79fe8cdd601aecd9f956033a04fb8da5
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb
Size/MD5 checksum: 722114 a388304bf86381229c306e79a5e85bf8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb
Size/MD5 checksum: 4369318 c3cf8c7ec27f86563c34f45e986e17c4

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 975850 778916e8b0df8e216121cd5185d7ca43
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb
Size/MD5 checksum: 638414 9ea111d66ac5f394d35fb69defa5dd27
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1627632 9f08e1da5cf9279cee4700e89dc6ee6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb
Size/MD5 checksum: 1043320 9ada82a7417c0d714a38c3a7184c2401

arm architecture (ARM)

http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb
Size/MD5 checksum: 536038 a9c90bb3ad326fa43c1285c1768df046
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 2087048 bded4e624fcf0791ae0885aa18d99123
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1028894 20784774078f02ef7e9db2ddbd7d5548
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 1490666 700c80efddb108b3e2a65373cc10dcc8
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb
Size/MD5 checksum: 844426 4cad5651a6d37ab19fb80b05a423598d

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1029206 6c6c35731ecacfc0280520097ee183d4
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb
Size/MD5 checksum: 540780 3b9ab48015bbd4dfc1ab205b42f1113d
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 2100958 fbf2c222a504e09e30f73cb0740a73a5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb
Size/MD5 checksum: 850286 3e656a0805eb31600f8e3e520a2a6e36

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet
- Michal Wronka
  Thu Jun 4 23:19:58 2026
  from Wroclaw, Poland via Telnet
- Michal Wronka
  Thu Jun 4 23:17:20 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	145:12:32
Calls:	12,089
Calls today:	2
Files:	15,000
Messages:	6,517,496

[SECURITY] [DSA-2125-1] New openssl packages fix buffer overflow (1/3)

Who's Online

Recent Visitors

System Info