Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Debian GNU/Linux Advsories: openssl, kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus

Mar 18, 2004, 14:25 (0 Talkback[s])

Debian Security Advisory DSA 465-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
March 17th, 2004 http://www.debian.org/security/faq


Package : openssl,openssl094,openssl095
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0079 CAN-2004-0081

Two vulnerabilities were discovered in openssl, an implementation of the SSL protocol, using the Codenomicon TLS Test Tool. More information can be found in the following NISCC Vulnerability Advisory:

http://www.uniras.gov.uk/vuls/2004/224012/index.htm

and this OpenSSL advisory:

http://www.openssl.org/news/secadv_20040317.txt

  • CAN-2004-0079 - null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service.
  • CAN-2004-0081 - a bug in older versions of OpenSSL 0.9.6 that can lead to a Denial of Service attack (infinite loop).

For the stable distribution (woody) these problems have been fixed in openssl version 0.9.6c-2.woody.6, openssl094 version 0.9.4-6.woody.4 and openssl095 version 0.9.5a-6.woody.5.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you update your openssl package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.dsc
Size/MD5 checksum: 632 c12536a01aca47e52d17e22310acbdd7
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6.diff.gz
Size/MD5 checksum: 44829 7478b91c110b6f1e52cf459cb44c07e1
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.dsc
Size/MD5 checksum: 624 e10b520a03dc6a86acd3609ed390bf21
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.3.diff.gz
Size/MD5 checksum: 46851 5108530e438a6c00458fb034db238392
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.dsc
Size/MD5 checksum: 631 0548af08e7b80fe2c7e73108bf352230
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.5.diff.gz
Size/MD5 checksum: 39190 837e26caaf8c22a566dbefdd6ffc56ea
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4

Architecture independent components:

http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.6_all.deb
Size/MD5 checksum: 980 be0ff309c754f9eb062bdc7d65a71819

Alpha architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_alpha.deb
Size/MD5 checksum: 1551564 72e47db6c9dcda4e5a6acf92a1ea2101
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_alpha.deb
Size/MD5 checksum: 571350 cfd18f4a40a6cffbbaef2f14f4e94aa1
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_alpha.deb
Size/MD5 checksum: 736410 f16961ca1e20d6f88f9bf99aa94b817b
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_alpha.deb
Size/MD5 checksum: 497332 066bc60aaa29ae1fb0d24c7c46a7e0cd

ARM architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_arm.deb
Size/MD5 checksum: 1358118 42ee5f1969cae9faee362fad210422da
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_arm.deb
Size/MD5 checksum: 474164 8ca5f15c012b6eb5bad33bf27180b9e1
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_arm.deb
Size/MD5 checksum: 729876 259449511f610538b0429ad552d627e9
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_arm.deb
Size/MD5 checksum: 402664 6c3c6fb33553e370d966161c44371eed

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_i386.deb
Size/MD5 checksum: 1290986 ee3f1bd5dc3de3e7dff6e945e73bf7b1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_i386.deb
Size/MD5 checksum: 461870 8d24ba643ce45cf495d775fa7062e53e
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_i386.deb
Size/MD5 checksum: 723346 e258d6e5c4e79767d1b75ae29a103a6d
http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.3_i386.deb
Size/MD5 checksum: 358500 92eb1693ec21ca108f0d06932ce4f9db
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_i386.deb
Size/MD5 checksum: 399952 068f0a3443cbebbd23571df0170cad84

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_ia64.deb
Size/MD5 checksum: 1615338 e59a7278d4d972943247b83d57e1712b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_ia64.deb
Size/MD5 checksum: 711170 bb0b97f071f942d23d2f7f5362c34c06
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_ia64.deb
Size/MD5 checksum: 763566 e3ebf464f440dbd86ae18c1b25ebac0f

HP Precision architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_hppa.deb
Size/MD5 checksum: 1435466 2c77d74ee8c1aaf6bebf02538f307ef6
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_hppa.deb
Size/MD5 checksum: 565020 9133258c424eadf23b659993439e4147
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_hppa.deb
Size/MD5 checksum: 742002 a5222dc5116da8dce774643cb09925bb

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_m68k.deb
Size/MD5 checksum: 1266746 94ce507777c7889cac278a1701bfa07d
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_m68k.deb
Size/MD5 checksum: 450742 cdb074142fb09b42b44d581bfe39f3b6
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_m68k.deb
Size/MD5 checksum: 720494 1c563a7eb888efbe767caf60d58d60c3
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_m68k.deb
Size/MD5 checksum: 376910 1976f00b903cbf56c3fecd8746bcdb13

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_mips.deb
Size/MD5 checksum: 1416298 3784e3df38ca0e7429ebc3bd3443a751
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_mips.deb
Size/MD5 checksum: 483772 781e99d232b8cb2d8eb2ffd7872be3cd
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_mips.deb
Size/MD5 checksum: 717852 f40b33d0bf0259121d73eb24d765c95d
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mips.deb
Size/MD5 checksum: 412764 6b1c44e692941adab697af4f9bc548d9

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.5_mipsel.deb
Size/MD5 checksum: 1410210 51022eaeba69faf250c2bec4384c399b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.5_mipsel.deb
Size/MD5 checksum: 476744 76be9bc27f5fe75f05ecf0a1b3a54f3c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.5_mipsel.deb
Size/MD5 checksum: 717148 047c9f61de01b84f73dc18a5b2e7c507
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_mipsel.deb
Size/MD5 checksum: 407554 98928a0620c1fef51662c4f03ef56de6

PowerPC architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_powerpc.deb
Size/MD5 checksum: 1386978 6e7b16a9bb3e2e780ef76408f516e760
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_powerpc.deb
Size/MD5 checksum: 502578 ad9b8b2222b035154fae759f1a1f6a29
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_powerpc.deb
Size/MD5 checksum: 726792 7a1881432528a890c0ca9800fc33b6c2
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_powerpc.deb
Size/MD5 checksum: 425652 43e11b5bc3ed981c2c68418cbafa37e2

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_s390.deb
Size/MD5 checksum: 1326484 663c1bd6518a284d2fde11ff5d728506
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_s390.deb
Size/MD5 checksum: 510582 61670cd45b446474caaae9fd7bac74b0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_s390.deb
Size/MD5 checksum: 731686 6e5f1c96f5c0d1c78ed74b6f90d15e2d

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.6_sparc.deb
Size/MD5 checksum: 1344384 f383f9926645f06e8458c4f4cdf9c4b5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.6_sparc.deb
Size/MD5 checksum: 484864 76b6f3d6b33969295aa38b4285b4bc16
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.6_sparc.deb
Size/MD5 checksum: 737280 9f57ba959daa989b54b214ebbb8824a4
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.5_sparc.deb
Size/MD5 checksum: 412390 a596f5a5a4df199a088c86e96e3eae9b

These files will probably be moved into the stable distribution on its next revision.



Debian Security Advisory DSA 466-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
March 18th, 2004 http://www.debian.org/security/faq


Package : kernel-source-2.2.10, kernel-image-2.2.10-powerpc-apus
Vulnerability : failing function and TLB flush
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0077
CERT advisory : VU#981222

Paul Starzetz and Wojciech Purczynski of isec.pl discovered a critical security vulnerability in the memory management code of Linux inside the mremap(2) system call. Due to flushing the TLB (Translation Lookaside Buffer, an address cache) too early it is possible for an attacker to trigger a local root exploit.

The attack vectors for 2.4.x and 2.2.x kernels are exclusive for the respective kernel series, though. We formerly believed that the exploitable vulnerability in 2.4.x does not exist in 2.2.x which is still true. However, it turned out that a second (sort of) vulnerability is indeed exploitable in 2.2.x, but not in 2.4.x, with a different exploit, of course.

For the stable distribution (woody) this problem has been fixed in version 2.2.10-13woody1 of 2.2 kernel images for the powerpc/apus architecture and in version 2.2.10-2 of Linux 2.2.10 source.

For the unstable distribution (sid) this problem will be fixed soon with the 2.4.20 kernel-image package for powerpc/apus. The old 2.2.10 kernel image will be removed from Debian unstable.

You are strongly advised to switch to the fixed 2.4.17 kernel-image package for powerpc/apus from woody until the 2.4.20 kernel-image package is fixed in the unstable distribution.

We recommend that you upgrade your Linux kernel package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:

http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2.dsc
Size/MD5 checksum: 602 c30270ed0bb5a9b99775aefaff4b5037
http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2.diff.gz
Size/MD5 checksum: 13862 b0dec7f7611601b2aab69d2117298641
http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10.orig.tar.gz
Size/MD5 checksum: 13902979 e3e865f9103dfcea4a3715d66d89dad1

http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-powerpc-apus_2.2.10-13woody1.dsc
Size/MD5 checksum: 614 f6f2c6563e5eed7ff97d19551a1117fb
http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-powerpc-apus_2.2.10-13woody1.tar.gz
Size/MD5 checksum: 453378 865a8125d959621697b045edc210e200

Architecture independent components:

http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-doc-2.2.10_2.2.10-2_all.deb
Size/MD5 checksum: 866978 74d85ee7a1f5855710b3201b907967dd
http://security.debian.org/pool/updates/main/k/kernel-source-2.2.10/kernel-source-2.2.10_2.2.10-2_all.deb
Size/MD5 checksum: 11302672 7a66220ced59920d2cc50eff7003108f

PowerPC architecture:

http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-headers-2.2.10-apus_2.2.10-13woody1_powerpc.deb
Size/MD5 checksum: 1575772 03558d9d86b2c08194088cf5cece6811
http://security.debian.org/pool/updates/main/k/kernel-image-2.2.10-powerpc-apus/kernel-image-2.2.10-apus_2.2.10-13woody1_powerpc.deb
Size/MD5 checksum: 1303764 2a3c5a6a45c3978ae45c4572ddc0547b

These files will probably be moved into the stable distribution on its next revision.


For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/