Mandrake Local Security Checks : Mandriva Update for openssl MDVSA-2011:137 (openssl)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.831454

Categoría: Mandrake Local Security Checks

Título: Mandriva Update for openssl MDVSA-2011:137 (openssl)

Resumen: The remote host is missing an update for the 'openssl'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'openssl'
package(s) announced via the referenced advisory.

Vulnerability Insight:
Multiple vulnerabilities has been discovered and corrected in openssl:

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
is used for the ECDHE_ECDSA cipher suite, does not properly implement
curves over binary fields, which makes it easier for context-dependent
attackers to determine private keys via a timing attack and a lattice
calculation (CVE-2011-1945).

crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not
initialize certain structure members, which makes it easier for
remote attackers to bypass CRL validation by using a nextUpdate value
corresponding to a time in the past (CVE-2011-3207).

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through
0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during
processing of handshake messages, which allows remote attackers
to cause a denial of service (application crash) via out-of-order
messages that violate the TLS protocol (CVE-2011-3210).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. The updated packages have been patched to correct these issues.

Affected Software/OS:
openssl on Mandriva Linux 2010.1,
Mandriva Linux 2010.1/X86_64

Solution:
Please Install the Updated Packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-1945
44935
http://secunia.com/advisories/44935
APPLE-SA-2013-06-04-1
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
DSA-2309
http://www.debian.org/security/2011/dsa-2309
MDVSA-2011:136
http://www.mandriva.com/security/advisories?name=MDVSA-2011:136
MDVSA-2011:137
http://www.mandriva.com/security/advisories?name=MDVSA-2011:137
SUSE-SU-2011:0636
https://hermes.opensuse.org/messages/8764170
VU#536044
http://www.kb.cert.org/vuls/id/536044
http://eprint.iacr.org/2011/232.pdf
http://support.apple.com/kb/HT5784
http://www.kb.cert.org/vuls/id/MAPG-8FENZ3
openSUSE-SU-2011:0634
https://hermes.opensuse.org/messages/8760466
Common Vulnerability Exposure (CVE) ID: CVE-2011-3207
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065744.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
HPdes Security Advisory: HPSBMU02752
http://marc.info/?l=bugtraq&m=133226187115472&w=2
HPdes Security Advisory: SSRT100802
http://www.redhat.com/support/errata/RHSA-2011-1409.html
http://www.securitytracker.com/id?1026012
http://secunia.com/advisories/45956
http://secunia.com/advisories/57353
Common Vulnerability Exposure (CVE) ID: CVE-2011-3210
1026012
57353
HPSBMU02752
HPSBUX02734
http://marc.info/?l=bugtraq&m=132750648501816&w=2
SSRT100729
SSRT100802
http://cvs.openssl.org/chngview?cn=21337
http://openssl.org/news/secadv_20110906.txt
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
https://bugzilla.redhat.com/show_bug.cgi?id=736079

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.831454
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Update for openssl MDVSA-2011:137 (openssl)
Resumen:	The remote host is missing an update for the 'openssl'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'openssl' package(s) announced via the referenced advisory. Vulnerability Insight: Multiple vulnerabilities has been discovered and corrected in openssl: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation (CVE-2011-1945). crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past (CVE-2011-3207). The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages, which allows remote attackers to cause a denial of service (application crash) via out-of-order messages that violate the TLS protocol (CVE-2011-3210). Packages for 2009.0 are provided as of the Extended Maintenance Program. The updated packages have been patched to correct these issues. Affected Software/OS: openssl on Mandriva Linux 2010.1, Mandriva Linux 2010.1/X86_64 Solution: Please Install the Updated Packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-1945 44935 http://secunia.com/advisories/44935 APPLE-SA-2013-06-04-1 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html DSA-2309 http://www.debian.org/security/2011/dsa-2309 MDVSA-2011:136 http://www.mandriva.com/security/advisories?name=MDVSA-2011:136 MDVSA-2011:137 http://www.mandriva.com/security/advisories?name=MDVSA-2011:137 SUSE-SU-2011:0636 https://hermes.opensuse.org/messages/8764170 VU#536044 http://www.kb.cert.org/vuls/id/536044 http://eprint.iacr.org/2011/232.pdf http://support.apple.com/kb/HT5784 http://www.kb.cert.org/vuls/id/MAPG-8FENZ3 openSUSE-SU-2011:0634 https://hermes.opensuse.org/messages/8760466 Common Vulnerability Exposure (CVE) ID: CVE-2011-3207 http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065744.html http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065712.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html HPdes Security Advisory: HPSBMU02752 http://marc.info/?l=bugtraq&m=133226187115472&w=2 HPdes Security Advisory: SSRT100802 http://www.redhat.com/support/errata/RHSA-2011-1409.html http://www.securitytracker.com/id?1026012 http://secunia.com/advisories/45956 http://secunia.com/advisories/57353 Common Vulnerability Exposure (CVE) ID: CVE-2011-3210 1026012 57353 HPSBMU02752 HPSBUX02734 http://marc.info/?l=bugtraq&m=132750648501816&w=2 SSRT100729 SSRT100802 http://cvs.openssl.org/chngview?cn=21337 http://openssl.org/news/secadv_20110906.txt http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564 https://bugzilla.redhat.com/show_bug.cgi?id=736079
Copyright	Copyright (C) 2011 Greenbone AG