These were updated to correct an additional vulnerability. --------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-166939 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939 2005-11-24 --------------------------------------------------------------------- Name : openssl Versions : rh73: openssl-0.9.6b-39.10.legacy Versions : rh9: openssl-0.9.7a-20.6.legacy Versions : fc1: openssl-0.9.7a-33.13.legacy Versions : fc2: openssl-0.9.7a-35.2.legacy Summary : The OpenSSL toolkit. Description : The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. --------------------------------------------------------------------- Update Information: Updated OpenSSL packages that fix a security issue are now available. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full- strength general purpose cryptography library. OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. A bug was fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in a previous advisory which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0109 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) Users are advised to update to these erratum packages which contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. --------------------------------------------------------------------- Changelogs rh73: * Tue Nov 15 2005 David Eisenstein <deisenst@xxxxxxx> 0.9.6b-39.10.legacy - Add patch to fix null-pointer dereference DoS, CVE-2004-0079 (#166939) - Change spec define thread_test_threads from 100 to 10 for a reasonable build time (a la RHEL). - remove deprecated der_chop, as upstream cvs has done (CAN-2004-0975, RHEL2.1's 0.9.6b-37. Replaces patch34 (openssl-0.9.7c-tempfile.patch) with a new patch34 (openssl-0.9.7a-no-der_chop.patch). - replaced add-luna patch with new one with right license, per Tomas Mraz in RHEL 2.1's 0.9.6b-39 (#158061). * Sat Oct 22 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.6b-39.9.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.6b-39.8.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) rh9: * Sat Oct 22 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-20.6.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-20.5.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) fc1: * Sat Oct 22 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-33.13.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Mon Aug 29 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-33.12.legacy - patch for cache timing exploit CAN-2005-0109 (#166939) fc2: * Sat Oct 22 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-35-2.legacy - Add extra patch to fix CAN-2005-0109 - Patch to prevent version rollback, CAN-2005-2969 (#166939) * Sun Aug 28 2005 Jeff Sheltren <sheltren@xxxxxxxxxxx> 0.9.7a-35.1.legacy - Patches for CAN-2004-0975 and CAN-2005-0109 (#166939) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 772eb428fce0f9244879936da6de8540c4a0da19 redhat/7.3/updates-testing/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm 2abb561452161340c02522e5b304685bded02acc redhat/7.3/updates-testing/i386/openssl096-0.9.6-25.11.legacy.i386.rpm 1c00535c2fd6314aba666132c49b62850387fa2e redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i386.rpm eb04713acd216bf3e2b46ed11f5627af2937d726 redhat/7.3/updates-testing/i386/openssl-0.9.6b-39.10.legacy.i686.rpm 5339f0df2ca59678b043c356000c80d6a06350e9 redhat/7.3/updates-testing/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm 602fb4b040aa26656f60771e56495f894da7a7d1 redhat/7.3/updates-testing/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm 94c051599af2faaaf771df548c801d8f046b2d94 redhat/7.3/updates-testing/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm 876c535d8b28b2ffa22be646aa7021c57a62046c redhat/7.3/updates-testing/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm 046b9d93eee9dcd9b69f89f185ad3065c78fd4ec redhat/7.3/updates-testing/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm rh9: a404db788cdcdf1b267dde272dd6db3cf1891ba2 redhat/9/updates-testing/i386/openssl096-0.9.6-25.12.legacy.i386.rpm 11cf0a7546f054b5fcff676a88deb27e45cdb0cd redhat/9/updates-testing/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm 62eb39923eb2a98a1749a58a28fce5c425587387 redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i386.rpm e97a1fb8963711a2c97e298173d30fe64abd7a3f redhat/9/updates-testing/i386/openssl-0.9.7a-20.6.legacy.i686.rpm dca80e912b43137b71e966cdc956b50324fd59fc redhat/9/updates-testing/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm 1f34a94f36d3b7fa56b633fc134eac3d99a08f45 redhat/9/updates-testing/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm daa7c0eb8f988a152db550398ec6c3e9ad08418e redhat/9/updates-testing/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm beff357b1eabf4dbd89bd2776d83ad8157e4668b redhat/9/updates-testing/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm d010302930f88638255581d7f4d8d245fc5f1f4f redhat/9/updates-testing/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm fc1: 6e2a5333e1a41cf7c87b0bd704f37ebeefb19011 fedora/1/updates-testing/i386/openssl096-0.9.6-26.3.legacy.i386.rpm aca4f861c4dde379cec5351f56c7aec4b2e47310 fedora/1/updates-testing/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm 620c574712782b4e349ed1392d1d674507a146cc fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i386.rpm 5518b5e24176b056dae1e653a4abb9f2dd227d99 fedora/1/updates-testing/i386/openssl-0.9.7a-33.13.legacy.i686.rpm 5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a fedora/1/updates-testing/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm 1bee0f14e627fde0951377e1bf2f90b190152967 fedora/1/updates-testing/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm 0d7079c953bb754c45c5a0231c5b292b814ce3f6 fedora/1/updates-testing/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm 8350ee0de5d81a3a0a842745997f89f8aae9e37f fedora/1/updates-testing/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm b116a8978d0ea6720193ac67c927d1c07eb122c4 fedora/1/updates-testing/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm fc2: 0b4dd57385c42886afbd62bc17c3b10fb3b28d38 fedora/2/updates-testing/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm d8773965612fda44388b73296ba8fb9caea9db1f fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i386.rpm 45c1a884034056c1f3f31f6a61af617a44a31e47 fedora/2/updates-testing/i386/openssl-0.9.7a-35.2.legacy.i686.rpm 24f03de813df1d534d3d847fde68ffd603a2e234 fedora/2/updates-testing/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm a990c20059b07984cc06a1029219b713650b0cfd fedora/2/updates-testing/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm b39cd980bda3350d69ee5a4da934fb54c956c965 fedora/2/updates-testing/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm 63d5d41cd2be5a010c2ad2c6276f0ddba2948e38 fedora/2/updates-testing/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
