Gentoo Logo

OpenSSL: Multiple vulnerabilities

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200912-01 / openssl
Release Date December 01, 2009
Latest Revision December 02, 2009: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-libs/openssl < 0.9.8l-r2 >= 0.9.8l-r2 All supported architectures

Related bugreports: #270305, #280591, #292022

Synopsis

Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct multiple attacks, including the injection of arbitrary data into encrypted byte streams.

2.  Impact Information

Background

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library.

Description

Multiple vulnerabilities have been reported in OpenSSL:

  • Marsh Ray of PhoneFactor and Martin Rex of SAP independently reported that the TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555).
  • The MD2 hash algorithm is no longer considered to be cryptographically strong, as demonstrated by Dan Kaminsky. Certificates using this algorithm are no longer accepted (CVE-2009-2409).
  • Daniel Mentz and Robin Seggelmann reported the following vulnerabilities related to DTLS: A use-after-free flaw (CVE-2009-1379) and a NULL pointer dereference (CVE-2009-1387) in the dtls1_retrieve_buffered_fragment() function in src/d1_both.c, multiple memory leaks in the dtls1_process_out_of_seq_message() function in src/d1_both.c (CVE-2009-1378), and a processing error related to a large amount of DTLS records with a future epoch in the dtls1_buffer_record() function in ssl/d1_pkt.c (CVE-2009-1377).

Impact

A remote unauthenticated attacker, acting as a Man in the Middle, could inject arbitrary plain text into a TLS session, possibly leading to the ability to send requests as if authenticated as the victim. A remote attacker could furthermore send specially crafted DTLS packages to a service using OpenSSL for DTLS support, possibly resulting in a Denial of Service. Also, a remote attacker might be able to create rogue certificates, facilitated by a MD2 collision. NOTE: The amount of computation needed for this attack is still very large.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All OpenSSL users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-0.9.8l-r2"

4.  References

Print

Page updated December 01, 2009

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.