Bug 3977 - openssl missing security update for CVE-2011-1945, CVE-2011-3207, and CVE-2011-3210
Summary: openssl missing security update for CVE-2011-1945, CVE-2011-3207, and CVE-201...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-01-01 02:53 CET by David Walser
Modified: 2012-01-04 14:27 CET (History)
7 users (show)

See Also:
Source RPM: openssl
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-01-01 02:53:59 CET 
Mandriva issued this advisory on September 28:
http://lists.mandriva.com/security-announce/2011-09/msg00022.php

This can be fixed by using MDV's patches or upgrading to 1.0.0e.
Comment 1 Manuel Hiebel 2012-01-01 12:35:07 CET 
Hi, thanks for reporting this bug.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => arnaud.patard, fundawang, mageia, pterjan
Source RPM: openssl-1.0.0d-2.mga1.src.rpm => openssl
Severity: normal => major

Comment 2 D Morgan 2012-01-01 13:47:55 CET 
just pushed with patches in update_testing

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2012-01-01 18:13:58 CET 
Tested successfully on i586 by testing openssh and apache-mod_ssl.
Comment 4 claire robinson 2012-01-03 12:20:17 CET 
x86_64

The following 5 packages are going to be installed:

- lib64openssl-devel-1.0.0d-2.1.mga1.x86_64
- lib64openssl-engines1.0.0-1.0.0d-2.1.mga1.x86_64
- lib64openssl-static-devel-1.0.0d-2.1.mga1.x86_64
- lib64openssl1.0.0-1.0.0d-2.1.mga1.x86_64
- openssl-1.0.0d-2.1.mga1.x86_64

Accessed zoneminder & phpmyadmin via https

Testing complete x86_64

SRPM: openssl-1.0.0d-2.1.mga1.src.rpm

Advisory
-----------------
openssl security update for CVE-2011-1945, CVE-2011-3207, and CVE-2011-3210
-----------------

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2012-01-04 14:24:13 CET 
Update pushed.

BTW, there was _way_ to little info in advisory for CVE fixes.

I added the following:

* The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
  earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
  is used for the ECDHE_ECDSA cipher suite, does not properly implement
  curves over binary fields, which makes it easier for context-dependent
  attackers to determine private keys via a timing attack and a lattice
  calculation.
  (CVE-2011-1945)

* crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize
  certain structure members, which makes it easier for remote attackers to
  bypass CRL validation by using a nextUpdate value corresponding to a time
  in the past. 
  (CVE-2011-3207)

* The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
  0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during 
  processing of handshake messages, which allows remote attackers to cause
  a denial of service (application crash) via out-of-order messages that
  violate the TLS protocol. 
  (CVE-2011-3210)

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 6 claire robinson 2012-01-04 14:27:08 CET 
Thankyou, I didn't have anything to work from.
Note You need to log in before you can comment on or make changes to this bug.