openssl-0.9.8e-12.AXS3.1
エラータID: AXSA:2010-70:01
リリース日:
2010/01/22 Friday - 14:06
題名:
openssl-0.9.8e-12.AXS3.1
影響のあるチャネル:
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Firefox などで使用されている Mozilla Network Security Services (NSS) には、X.509 証明書の偽装をされる脆弱性が存在します。(CVE-2009-2409)
- OpenSSL の zlib_stateful_finish 関数には メモリリークが存在し、CRYPTO_free_all_ex_data 関数の不正な呼び出しをきっかけにしてリモートの攻撃者がサービス拒否(メモリ消費) を引き起こす脆弱性があります。(CVE-2009-4355)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2009-2409
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
CVE-2009-4355
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
追加情報:
N/A
ダウンロード:
SRPMS
- openssl-0.9.8e-12.AXS3.1.src.rpm
MD5: 48b7b5ed140a4d948854ded9bb034fa0
SHA-256: dfbbcc87ee0d40640e9a1b23d8789430b968579df1900484ff8232fc99cb6705
Size: 3.09 MB
Asianux Server 3 for x86
- openssl-0.9.8e-12.AXS3.1.i686.rpm
MD5: ea63d54a75cc31bca92a0dfa204dade3
SHA-256: 02a88cbd61ab4245ac320a0ad463ab57e5683afd3f483e2b6fe52e8ef5ac0220
Size: 1.43 MB - openssl-0.9.8e-12.AXS3.1.i386.rpm
MD5: a61c811c3ac3d24c7f2146c68901fb44
SHA-256: 148351657cce10ae993c77405260a21188c9e5d52646bc57dddb6498e3db048d
Size: 1.45 MB - openssl-devel-0.9.8e-12.AXS3.1.i386.rpm
MD5: d6c37867c6da74eecba077cd74872025
SHA-256: 8399c9c71102cf31a61d57cc721b4c4b052d688590aebe852c3e712b919c1150
Size: 1.89 MB - openssl-perl-0.9.8e-12.AXS3.1.i386.rpm
MD5: 3032920ba4781359fdda2aae0c365417
SHA-256: e39aaf1311030d9c2b1d9d40c9bba769478c2802cb10b7f95d5a700b0dbba868
Size: 34.08 kB
Asianux Server 3 for x86_64
- openssl-0.9.8e-12.AXS3.1.x86_64.rpm
MD5: fc795ae598d72560a2f5290b339d73b5
SHA-256: b8cc2d17f427096cf6cfabb5e970c41eff1816fe17445af9f293c7c5287fce45
Size: 1.43 MB - openssl-devel-0.9.8e-12.AXS3.1.x86_64.rpm
MD5: 5a6ac924e200a46c4b0b8e3dad5907b2
SHA-256: 9f078681760a9d363bd45f87dbe0bcc34972d6d5bbc97a8456a001bec99c78f1
Size: 1.87 MB - openssl-perl-0.9.8e-12.AXS3.1.x86_64.rpm
MD5: 3c000e7c0dba8f22a89cdb1c29e183ed
SHA-256: b367dba1751abd5e54f9cff94253d27d656543ece114cbd17db1cf4909c21ac0
Size: 34.03 kB