Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > June 2005 > Mandriva - Two Security Update Advisories: 1. Updated openssl packages fix vulnerabilities [MDKSA-2005:096] -- 2. Updated a2ps packages fix temporary file vulnerabilities [MDKSA-2005:097]

June 2005

Mandriva - Two Security Update Advisories: 1. Updated openssl packages fix vulnerabilities [MDKSA-2005:096] -- 2. Updated a2ps packages fix temporary file vulnerabilities [MDKSA-2005:097]

ID: 00465
Ref: 430/2005
Date: 08 June 2005:16:32:56
Version: 1
Title: Mandriva - Two Security Update Advisories: 1. Updated openssl packages fix vulnerabilities [MDKSA-2005:096] -- 2. Updated a2ps packages fix temporary file vulnerabilities [MDKSA-2005:097]
Abstract:
Vendors affected: Mandriva
Operating systems affected: Mandriva
Applications affected: Mandriva

Title
=====
Mandriva - Two Security Update Advisories:
1. Updated openssl packages fix vulnerabilities [MDKSA-2005:096]
2. Updated a2ps packages fix temporary file vulnerabilities [MDKSA-2005:097]

Detail
======

Security Update Advisory summaries:

1. There us a cache timing attack that could be used to allow a malicious local
user to gain portions of cryptographic keys (CAN-2005-0109). The patch was
designed to mitigate cache timing and possibly related attacks.

2. The fixps and psmandup scripts, part of the a2ps package, are vulnerable to
symlink attacks which could allow a local attacker to overwrite arbitrary
files. The updated packages have been patched to correct the problem.


Security Update Advisory content follows:


1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: openssl
Advisory ID: MDKSA-2005:096
Date: June 6th, 2005

Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________

Problem Description:

Colin Percival reported a cache timing attack that could be used to
allow a malicious local user to gain portions of cryptographic keys
(CAN-2005-0109). The OpenSSL library has been patched to add a new
fixed-window mod_exp implementation as default for RSA, DSA, and DH
private key operations. The patch was designed to mitigate cache
timing and possibly related attacks.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0109
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
cee49155c0a92bb8135a319fd7932c91 10.0/RPMS/libopenssl0.9.7-0.9.7c-3.2.100mdk.i586.rpm
2c80ea6436e6a6c6466a917f52d2390c 10.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.2.100mdk.i586.rpm
52d0e353df687a95873de42742662654 10.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.2.100mdk.i586.rpm
292de5de390f0ef4692d31309b9bde11 10.0/RPMS/openssl-0.9.7c-3.2.100mdk.i586.rpm
ee45559e7e24574e13c6a67c74f7133d 10.0/SRPMS/openssl-0.9.7c-3.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
e301b8be00577ccc4e2b1efd7f413179 amd64/10.0/RPMS/lib64openssl0.9.7-0.9.7c-3.2.100mdk.amd64.rpm
f8c587ca420c66ca24e951b59834c963 amd64/10.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.2.100mdk.amd64.rpm
a06d5783022cd8a9b5c79c680661d174 amd64/10.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.2.100mdk.amd64.rpm
464d4ea1d39a0679108adb8ac165cdce amd64/10.0/RPMS/openssl-0.9.7c-3.2.100mdk.amd64.rpm
ee45559e7e24574e13c6a67c74f7133d amd64/10.0/SRPMS/openssl-0.9.7c-3.2.100mdk.src.rpm

Mandrakelinux 10.1:
de2ad60c1e4f2a65530e306de708dcbd 10.1/RPMS/libopenssl0.9.7-0.9.7d-1.2.101mdk.i586.rpm
f061104d9da8c4321a724b3497eadf44 10.1/RPMS/libopenssl0.9.7-devel-0.9.7d-1.2.101mdk.i586.rpm
5733754aba4dfe0d216a9d2c3a586fc3 10.1/RPMS/libopenssl0.9.7-static-devel-0.9.7d-1.2.101mdk.i586.rpm
d85002e7e972e92649143f32843921c2 10.1/RPMS/openssl-0.9.7d-1.2.101mdk.i586.rpm
ae8b9201966a40154c936e86c66ed6ee 10.1/SRPMS/openssl-0.9.7d-1.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
9cb7b4a822ee946c9bfbfd58eab266db x86_64/10.1/RPMS/lib64openssl0.9.7-0.9.7d-1.2.101mdk.x86_64.rpm
8d3cee9ae100bdc96680d1f2981c605c x86_64/10.1/RPMS/lib64openssl0.9.7-devel-0.9.7d-1.2.101mdk.x86_64.rpm
d5567a5ed0e73448718be767d15c909f x86_64/10.1/RPMS/lib64openssl0.9.7-static-devel-0.9.7d-1.2.101mdk.x86_64.rpm
7fd69749f62ac883da9d5c25a6a9d20b x86_64/10.1/RPMS/openssl-0.9.7d-1.2.101mdk.x86_64.rpm
ae8b9201966a40154c936e86c66ed6ee x86_64/10.1/SRPMS/openssl-0.9.7d-1.2.101mdk.src.rpm

Mandrakelinux 10.2:
b1eeb36b807c8f4aa28d206045d43a9f 10.2/RPMS/libopenssl0.9.7-0.9.7e-5.1.102mdk.i586.rpm
ac3d69c0b6f943ad93bb234d6af9c744 10.2/RPMS/libopenssl0.9.7-devel-0.9.7e-5.1.102mdk.i586.rpm
56ca2ecdb9bde08be0b04224f53269eb 10.2/RPMS/libopenssl0.9.7-static-devel-0.9.7e-5.1.102mdk.i586.rpm
2aa7bb69baacd4e552ffcd1a262e4ba4 10.2/RPMS/openssl-0.9.7e-5.1.102mdk.i586.rpm
182440988393b2c33dd7d350b4f8ec60 10.2/SRPMS/openssl-0.9.7e-5.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
5ca7610752c8170145c94aeeddedbc1e x86_64/10.2/RPMS/lib64openssl0.9.7-0.9.7e-5.1.102mdk.x86_64.rpm
9a1b5b77a6dddbc10355d88de59206eb x86_64/10.2/RPMS/lib64openssl0.9.7-devel-0.9.7e-5.1.102mdk.x86_64.rpm
d33fef3346899531526124ccf00f0c5f x86_64/10.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7e-5.1.102mdk.x86_64.rpm
7ab4a343b30ab609360ff7ce0b89a350 x86_64/10.2/RPMS/openssl-0.9.7e-5.1.102mdk.x86_64.rpm
182440988393b2c33dd7d350b4f8ec60 x86_64/10.2/SRPMS/openssl-0.9.7e-5.1.102mdk.src.rpm

Corporate Server 2.1:
6501a7b2d19013ca711281fb353dea0b corporate/2.1/RPMS/libopenssl0-0.9.6i-1.9.C21mdk.i586.rpm
d559b800134dd67dbb7f012fc48a807b corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.9.C21mdk.i586.rpm
b6125ddcc2ba183ce6c1da6a3d1a636f corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.9.C21mdk.i586.rpm
c2fb9fbd3ccbc10615d291fbfff2c24a corporate/2.1/RPMS/openssl-0.9.6i-1.9.C21mdk.i586.rpm
eeb2c5885af72a4bbe7bb67defa1dc3d corporate/2.1/SRPMS/openssl-0.9.6i-1.9.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
16deadec23cf0f734428c54cd30d77c1 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.9.C21mdk.x86_64.rpm
8ebda70886c54271c9717310e58f7cf0 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.9.C21mdk.x86_64.rpm
3e71a68e38fc41d553ac0ccd113b2062 x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.9.C21mdk.x86_64.rpm
34e577f8a74f1ccb5256da88871f175b x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.9.C21mdk.x86_64.rpm
eeb2c5885af72a4bbe7bb67defa1dc3d x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.9.C21mdk.src.rpm

Corporate 3.0:
dad75a0c76174530ef85eaa43b1027d0 corporate/3.0/RPMS/libopenssl0.9.7-0.9.7c-3.2.C30mdk.i586.rpm
b3d0b4c5e81bd5c8be7205be1aa3d6a8 corporate/3.0/RPMS/libopenssl0.9.7-devel-0.9.7c-3.2.C30mdk.i586.rpm
28ce0bb5d23162464e072676ff114ed2 corporate/3.0/RPMS/libopenssl0.9.7-static-devel-0.9.7c-3.2.C30mdk.i586.rpm
4ee3247a813b1ddc5846d8e8cd3d683b corporate/3.0/RPMS/openssl-0.9.7c-3.2.C30mdk.i586.rpm
17755643bd9ab4d1e77c9299b4f98c6a corporate/3.0/SRPMS/openssl-0.9.7c-3.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
1584bf57d460c30fdf46f9418066bcb7 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-0.9.7c-3.2.C30mdk.x86_64.rpm
cbc8670bab2a5bfb0cb4ec7c5156b1b2 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-devel-0.9.7c-3.2.C30mdk.x86_64.rpm
9e31e783e4e0f97cb4c2b746844acba7 x86_64/corporate/3.0/RPMS/lib64openssl0.9.7-static-devel-0.9.7c-3.2.C30mdk.x86_64.rpm
a3fe1a197f4e88179cc07b58ff4602fa x86_64/corporate/3.0/RPMS/openssl-0.9.7c-3.2.C30mdk.x86_64.rpm
17755643bd9ab4d1e77c9299b4f98c6a x86_64/corporate/3.0/SRPMS/openssl-0.9.7c-3.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCpSTumqjQ0CJFipgRAvvAAKCu68pGzh3Kj4liHEUGO61TguiXmQCg63RI
+L74N1O01IKjacoZAeVi7ws=
=YHE9
- -----END PGP SIGNATURE-----



2.



- ----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: a2ps
Advisory ID: MDKSA-2005:097
Date: June 7th, 2005

Affected versions: 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________

Problem Description:

The fixps and psmandup scripts, part of the a2ps package, are
vulnerable to symlink attacks which could allow a local attacker to
overwrite arbitrary files. The updated packages have been patched to
correct the problem.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1377
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.1:
938d5b703cbeb762efd5619880208497 10.1/RPMS/a2ps-4.13b-5.2.101mdk.i586.rpm
e0e7a61ec86b0af969cbe60008e6830f 10.1/RPMS/a2ps-devel-4.13b-5.2.101mdk.i586.rpm
fce5b28393e1c8da6e0ea1ebdb1a2de6 10.1/RPMS/a2ps-static-devel-4.13b-5.2.101mdk.i586.rpm
05f8fdc46bded4e920c709a781c98550 10.1/SRPMS/a2ps-4.13b-5.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
fc1fd3817e4f41ea41758a3ac53e86cd x86_64/10.1/RPMS/a2ps-4.13b-5.2.101mdk.x86_64.rpm
84541cd7d841c64ceccb89f2a413d450 x86_64/10.1/RPMS/a2ps-devel-4.13b-5.2.101mdk.x86_64.rpm
acf595ef3b6f3d2a79204feec3e34208 x86_64/10.1/RPMS/a2ps-static-devel-4.13b-5.2.101mdk.x86_64.rpm
05f8fdc46bded4e920c709a781c98550 x86_64/10.1/SRPMS/a2ps-4.13b-5.2.101mdk.src.rpm

Mandrakelinux 10.2:
47722386507aa7fb8c4ddbbbbcc4a20c 10.2/RPMS/a2ps-4.13b-6.1.102mdk.i586.rpm
190e48d0b4143ac0ad911482e0b0151f 10.2/RPMS/a2ps-devel-4.13b-6.1.102mdk.i586.rpm
4d3d6cbd4ad35999c9bff1f61f890778 10.2/RPMS/a2ps-static-devel-4.13b-6.1.102mdk.i586.rpm
52a665ac72fec5e99b3e1412e6470063 10.2/SRPMS/a2ps-4.13b-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
37135cc64ba189c769851ba678532576 x86_64/10.2/RPMS/a2ps-4.13b-6.1.102mdk.x86_64.rpm
6f4cbd5624aac20e99703072131538c7 x86_64/10.2/RPMS/a2ps-devel-4.13b-6.1.102mdk.x86_64.rpm
4314538dcbb211c28f32abc64d9e3de8 x86_64/10.2/RPMS/a2ps-static-devel-4.13b-6.1.102mdk.x86_64.rpm
52a665ac72fec5e99b3e1412e6470063 x86_64/10.2/SRPMS/a2ps-4.13b-6.1.102mdk.src.rpm

Corporate Server 2.1:
65a7ea65f589533d0aca00a6a37760ff corporate/2.1/RPMS/a2ps-4.13-14.2.C21mdk.i586.rpm
45c465fc3e2165e6681cccda909fb91f corporate/2.1/RPMS/a2ps-devel-4.13-14.2.C21mdk.i586.rpm
273f20da1e895043ee719b964b7d2b55 corporate/2.1/RPMS/a2ps-static-devel-4.13-14.2.C21mdk.i586.rpm
58e6bdd04f757728aa63089f8b4249ac corporate/2.1/SRPMS/a2ps-4.13-14.2.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
d5cc8c0304f537acd89c575c7124a6c0 x86_64/corporate/2.1/RPMS/a2ps-4.13-14.2.C21mdk.x86_64.rpm
ee85486832fbdf9873c3acfa8b73bafe x86_64/corporate/2.1/RPMS/a2ps-devel-4.13-14.2.C21mdk.x86_64.rpm
84c3ca054e874346bc55daeb5fea0f9f x86_64/corporate/2.1/RPMS/a2ps-static-devel-4.13-14.2.C21mdk.x86_64.rpm
58e6bdd04f757728aa63089f8b4249ac x86_64/corporate/2.1/SRPMS/a2ps-4.13-14.2.C21mdk.src.rpm

Corporate 3.0:
859d494306ae1dca81186e2fe99b9a96 corporate/3.0/RPMS/a2ps-4.13b-5.2.C30mdk.i586.rpm
9bd2c39d7495f18412fcd0a1412f1169 corporate/3.0/RPMS/a2ps-devel-4.13b-5.2.C30mdk.i586.rpm
68be9c1420f80da9047bf2c7f41e861c corporate/3.0/RPMS/a2ps-static-devel-4.13b-5.2.C30mdk.i586.rpm
daba71e7aa523a71040a54e841bf9300 corporate/3.0/SRPMS/a2ps-4.13b-5.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
3d2e4b184d3ff5f19d5ce48762b25c41 x86_64/corporate/3.0/RPMS/a2ps-4.13b-5.2.C30mdk.x86_64.rpm
7edb5fa8542f0a8216e2670a668aaf04 x86_64/corporate/3.0/RPMS/a2ps-devel-4.13b-5.2.C30mdk.x86_64.rpm
aebaa6e7473f6fa84bd973df34ef3b96 x86_64/corporate/3.0/RPMS/a2ps-static-devel-4.13b-5.2.C30mdk.x86_64.rpm
daba71e7aa523a71040a54e841bf9300 x86_64/corporate/3.0/SRPMS/a2ps-4.13b-5.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCpgvJmqjQ0CJFipgRAheSAJ9orZvyngdNmOlbIwh4uRPqQi8tMACgmJxw
EiHp0Bt4ppEs0n/AGblpMuc=
=t8PQ
- -----END PGP SIGNATURE-----



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |