-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2125-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch November 22, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : openssl Vulnerability : buffer overflow Problem type : remote Debian-specific: no Debian Bug : 603709 CVE Id(s) : CVE-2010-3864 A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack. This allows an attacker to cause an appliation crash or potentially to execute arbitrary code. However, not all OpenSSL based SSL/TLS servers are vulnerable: A server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected. This upgrade fixes this issue. After the upgrade, any services using the openssl libraries need to be restarted. The checkrestart script from the debian-goodies package or lsof can help to find out which services need to be restarted. A note to users of the tor packages from the Debian backports or Debian volatile: This openssl update causes problems with some versions of tor. You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2, respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable is not affected by these problems. For the stable distribution (lenny), the problem has been fixed in openssl version 0.9.8g-15+lenny9. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.9.8o-3. We recommend that you upgrade your openssl packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny (stable) - ----------------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.dsc Size/MD5 checksum: 1973 1efb69f23999507bf2e74f5b848744af http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9.diff.gz Size/MD5 checksum: 60451 9aba44ed40b0c9c8ec82bd6cd33c44b8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_alpha.deb Size/MD5 checksum: 2583248 3b3f0cbec4ec28eb310466237648db8f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_alpha.deb Size/MD5 checksum: 1028998 79fe8cdd601aecd9f956033a04fb8da5 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_alpha.udeb Size/MD5 checksum: 722114 a388304bf86381229c306e79a5e85bf8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_alpha.deb Size/MD5 checksum: 2814160 e0f6fc697f5e9c87b44aa15eb58c3ea8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_alpha.deb Size/MD5 checksum: 4369318 c3cf8c7ec27f86563c34f45e986e17c4 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_amd64.deb Size/MD5 checksum: 975850 778916e8b0df8e216121cd5185d7ca43 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_amd64.deb Size/MD5 checksum: 2243180 ff6a898ccd6fb49d5fbec9f4bd3cb6da http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_amd64.udeb Size/MD5 checksum: 638414 9ea111d66ac5f394d35fb69defa5dd27 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_amd64.deb Size/MD5 checksum: 1627632 9f08e1da5cf9279cee4700e89dc6ee6d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_amd64.deb Size/MD5 checksum: 1043320 9ada82a7417c0d714a38c3a7184c2401 arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_arm.udeb Size/MD5 checksum: 536038 a9c90bb3ad326fa43c1285c1768df046 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_arm.deb Size/MD5 checksum: 2087048 bded4e624fcf0791ae0885aa18d99123 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_arm.deb Size/MD5 checksum: 1028894 20784774078f02ef7e9db2ddbd7d5548 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_arm.deb Size/MD5 checksum: 1490666 700c80efddb108b3e2a65373cc10dcc8 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_arm.deb Size/MD5 checksum: 844426 4cad5651a6d37ab19fb80b05a423598d armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_armel.deb Size/MD5 checksum: 1029206 6c6c35731ecacfc0280520097ee183d4 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_armel.udeb Size/MD5 checksum: 540780 3b9ab48015bbd4dfc1ab205b42f1113d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_armel.deb Size/MD5 checksum: 2100958 fbf2c222a504e09e30f73cb0740a73a5 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_armel.deb Size/MD5 checksum: 1504318 8eaa760844c1b81d0f8bd21bdc7ca1d0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_armel.deb Size/MD5 checksum: 850286 3e656a0805eb31600f8e3e520a2a6e36 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_hppa.deb Size/MD5 checksum: 2268562 8cb4805915dfde8326fde4281c9aaa76 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_hppa.deb Size/MD5 checksum: 969104 805c95116706c82051a5d08efce729e5 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_hppa.deb Size/MD5 checksum: 1047026 2e06d411c0a8764db3504638d3b59ef9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_hppa.deb Size/MD5 checksum: 1528456 de6a4129635ee4565696198ce3423674 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_hppa.udeb Size/MD5 checksum: 634504 bab8594389626190b71ee97bfb46fa71 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_i386.deb Size/MD5 checksum: 2108452 d75ba6c13fc77dd3eefddde480a05231 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_i386.deb Size/MD5 checksum: 5393290 14bf0f44b8c802e47834234be834d80b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_i386.deb Size/MD5 checksum: 2977384 bf4c26767b006694843d036ebdca132a http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_i386.udeb Size/MD5 checksum: 591782 bf5007e22e4bd31445458a5379086103 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_i386.deb Size/MD5 checksum: 1035868 64085f2b106009533bda0309f08548af ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_ia64.deb Size/MD5 checksum: 2666530 42cdae406ce22e3e538f0d744f043a39 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_ia64.deb Size/MD5 checksum: 1465582 33c84255a9515a9a528cbf3df9398ef5 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_ia64.udeb Size/MD5 checksum: 865352 9cbc10e393eb3d30d34ea384c6f1f9f5 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_ia64.deb Size/MD5 checksum: 1105090 cc7485d310d4770c2b1e93c6d74dcc2b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_ia64.deb Size/MD5 checksum: 1280654 fde186a4983ac6cafcd3d5ec7e1d6f98 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mips.deb Size/MD5 checksum: 1025868 8b7f565c4c0a15b15f20f2e074bb503a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mips.deb Size/MD5 checksum: 900162 391ac436c8d7ed7b55a8ea9e90c7d8be http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mips.deb Size/MD5 checksum: 2307960 227ac5c7b409d061222b94bc40e8cd18 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mips.deb Size/MD5 checksum: 1622826 8a4f73d6cd497076490404a2dade26ba http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mips.udeb Size/MD5 checksum: 585108 d8447df55a530959b6cd9d5d3039c0da mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_mipsel.deb Size/MD5 checksum: 1012186 4a154b5c4d864f7dcd0bf019dfb41c5d http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_mipsel.deb Size/MD5 checksum: 1588308 1222eb6b1870602335ef0722b7047b6a http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_mipsel.udeb Size/MD5 checksum: 572370 a2535f616be099e9361a55637c3375d3 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_mipsel.deb Size/MD5 checksum: 2295070 7446121759684083870d5ae0d26969c0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_mipsel.deb Size/MD5 checksum: 885668 3745e7c578002628f78f02bd5afeb84f powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_powerpc.deb Size/MD5 checksum: 1643808 43814c865d098046bc1dca1920820354 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_powerpc.deb Size/MD5 checksum: 1047060 5c45e5a5d02f856cb9dc29029d0b5557 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_powerpc.udeb Size/MD5 checksum: 656166 309fdeebe15bbecbe8c55dbd5ddbdd3a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_powerpc.deb Size/MD5 checksum: 997540 f4bf73493f3964b8a23bdd424694f079 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_powerpc.deb Size/MD5 checksum: 2251238 35f6f59b07e57eb538da19545a733d5f s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_s390.udeb Size/MD5 checksum: 693040 26cab41169c6b8f64ce7936a2ea65a7b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_s390.deb Size/MD5 checksum: 1051130 f67b4fd152e1175f81022ffd345d6c78 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_s390.deb Size/MD5 checksum: 2231782 c7796fff8c97bbf0c5ab69440cbd50f9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_s390.deb Size/MD5 checksum: 1602496 a9595ac98fc11015dd4bb2634416197b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_s390.deb Size/MD5 checksum: 1024562 ff293933ef4eb5e952659fe7caf82c8b sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny9_sparc.deb Size/MD5 checksum: 2290536 e5c655fbcc524fe7bb56945cc8b2f5d1 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny9_sparc.deb Size/MD5 checksum: 3868850 b9cbaa2cbb2cfa4aa1dce984148dba4b http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny9_sparc.deb Size/MD5 checksum: 2146488 d0c17736c2b26a97491e34321ffff3f5 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny9_sparc.udeb Size/MD5 checksum: 580510 28ab74855c8a34bb002b44fd7ecb8997 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny9_sparc.deb Size/MD5 checksum: 1043044 d78ffaf44d1177b05fa0cfb02d76128a These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFM6s9pbxelr8HyTqQRAiJhAJ0Y0CILcBegVemwxzdg+Hhf9vdZfwCdFjaL oaCxRqRAbcvYcQGmQ289dj0= =Ckey -----END PGP SIGNATURE-----