openssl-0.9.8e-12.AXS3.6
エラータID: AXSA:2010-154:01
リリース日:
2010/03/26 Friday - 16:12
題名:
openssl-0.9.8e-12.AXS3.6
影響のあるチャネル:
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- OpenSSL は bn_wexpand 関数 からのヌル値の返り値を確認しておらず、攻撃者が不明な
影響を与える脆弱性があります。(CVE-2009-3245)
- Secure Sockets Layer (SSL) および Transport Layer Security (TLS) プロトコルには、renegotiation 機能に脆弱性が存在します。(CVE-2009-3555)
- OpenSSL の kssl_keytab_is_available 関数で、Kerberos が有効になっている場合、Kerberos の設定ファイルが開けないためにある返り値が確認できず、リモートの攻撃者がサービス拒否 (ヌルポインタ参照とデーモンのクラッシュ) を引き起こす脆弱性があります。(CVE-2010-0433)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2009-3245
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
CVE-2009-3555
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
CVE-2010-0433
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.
追加情報:
このパッケージは最新の httpd パッケージに必要とされています。
ダウンロード:
Asianux Server 3 for x86
- openssl-0.9.8e-12.AXS3.6.i686.rpm
MD5: 86f78cf6c1674d4fb837d900d34c56f4
SHA-256: 494466bceb121a110e38d36d592c866fc86e9a9999ab4e6462142019ed0cb6d7
Size: 1.43 MB - openssl-0.9.8e-12.AXS3.6.i386.rpm
MD5: ae175f4d0b0e8110506cfa79378f6da8
SHA-256: a2be053398e7bd59edd0d56d9a3cfc0ed78038ab06767f9c02d16ea016d03c86
Size: 1.45 MB - openssl-devel-0.9.8e-12.AXS3.6.i386.rpm
MD5: ed65239c650097e84263026c5a58114d
SHA-256: 1422d6cf9d952eb0c736933b571b080f73122b6b189af862996400e94d1c1707
Size: 1.90 MB - openssl-perl-0.9.8e-12.AXS3.6.i386.rpm
MD5: 18219e16dea48eb6b0b83ab51038beaa
SHA-256: 6d841bc21fe423c3b5b2869f875ee460fe5f7c026522360d66b72e5d30c1b2dc
Size: 34.84 kB
Asianux Server 3 for x86_64
- openssl-0.9.8e-12.AXS3.6.x86_64.rpm
MD5: 061d57d3677b647e4c753e221083a162
SHA-256: df5353cc4a9365b33d1a0b14c7bea52e04f6ceb2e06cbc6ac49279d96c423239
Size: 1.44 MB - openssl-devel-0.9.8e-12.AXS3.6.x86_64.rpm
MD5: 32c904c8cf1a1f00644a2c79291b2c6d
SHA-256: d4fb746633545f74b12aa7fe33548d14347bfe432300d2558e3c8cf296776ca2
Size: 1.88 MB - openssl-perl-0.9.8e-12.AXS3.6.x86_64.rpm
MD5: acce841bf939a528bb1cb0095f820fb6
SHA-256: 1973eb5c3da1b2e0a6389bd5bada6e62a976965648955ab65c1304143805abe8
Size: 34.80 kB