The Slackware Linux Project: Mailing List Info

Mailing List Info
News
Security Advisories
FAQ
Book
General Info
Get Slack
Install Help
Configuration
Packages
ChangeLogs
Propaganda
Ports
Other Sites
Support
Contact
Mailing Lists
Archives
About
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] openssl (SSA:2014-288-01)
Date: Wed, 15 Oct 2014 10:58:22 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  openssl (SSA:2014-288-01)

New openssl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
and -current to fix security issues.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.1.txz:  Upgraded.
  (* Security fix *)
patches/packages/openssl-1.0.1j-i486-1_slack14.1.txz:  Upgraded.
  This update fixes several security issues:
  SRTP Memory Leak (CVE-2014-3513):
    A flaw in the DTLS SRTP extension parsing code allows an attacker, who
    sends a carefully crafted handshake message, to cause OpenSSL to fail
    to free up to 64k of memory causing a memory leak. This could be
    exploited in a Denial Of Service attack.
  Session Ticket Memory Leak (CVE-2014-3567):
    When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
    integrity of that ticket is first verified. In the event of a session
    ticket integrity check failing, OpenSSL will fail to free memory
    causing a memory leak. By sending a large number of invalid session
    tickets an attacker could exploit this issue in a Denial Of Service
    attack.
  SSL 3.0 Fallback protection:
    OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
    to block the ability for a MITM attacker to force a protocol
    downgrade.
    Some client applications (such as browsers) will reconnect using a
    downgraded protocol to work around interoperability bugs in older
    servers. This could be exploited by an active man-in-the-middle to
    downgrade connections to SSL 3.0 even if both sides of the connection
    support higher protocols. SSL 3.0 contains a number of weaknesses
    including POODLE (CVE-2014-3566).
  Build option no-ssl3 is incomplete (CVE-2014-3568):
    When OpenSSL is configured with "no-ssl3" as a build option, servers
    could accept and complete a SSL 3.0 handshake, and clients could be
    configured to send them.
  For more information, see:
    https://www.openssl.org/news/secadv_20141015.txt
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8zc-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8zc-i486-1_slack13.0.txz

Updated packages for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8zc-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8zc-x86_64-1_slack13.0.txz

Updated packages for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8zc-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8zc-i486-1_slack13.1.txz

Updated packages for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8zc-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8zc-x86_64-1_slack13.1.txz

Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8zc-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8zc-i486-1_slack13.37.txz

Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8zc-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8zc-x86_64-1_slack13.37.txz

Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1j-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.0.txz

Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1j-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1j-x86_64-1_slack14.0.txz

Updated packages for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1j-i486-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1j-i486-1_slack14.1.txz

Updated packages for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1j-x86_64-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1j-x86_64-1_slack14.1.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1j-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1j-i486-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1j-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1j-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.0 packages:
44d336a121b39296f0e6bbeeb283dd2b  openssl-0.9.8zc-i486-1_slack13.0.txz
8342cfb351e59ecf5ea6d8cba66f0040  openssl-solibs-0.9.8zc-i486-1_slack13.0.txz

Slackware x86_64 13.0 packages:
671f12535bdc10ab24388b713351aca2  openssl-0.9.8zc-x86_64-1_slack13.0.txz
21e380284cdfab2fd15fffe2e0aed526  openssl-solibs-0.9.8zc-x86_64-1_slack13.0.txz

Slackware 13.1 packages:
64cb819f1e07522bd5d7ceedd0a9ab50  openssl-0.9.8zc-i486-1_slack13.1.txz
5fe4e385b2251cfd7e8ae5963ec6cef1  openssl-solibs-0.9.8zc-i486-1_slack13.1.txz

Slackware x86_64 13.1 packages:
94feb6699d6f2cc7750a6b2e17ccaaa2  openssl-0.9.8zc-x86_64-1_slack13.1.txz
2c17e4286509c29074ab0168367b851e  openssl-solibs-0.9.8zc-x86_64-1_slack13.1.txz

Slackware 13.37 packages:
4483d91c776c7e23c59246c4e0aa24aa  openssl-0.9.8zc-i486-1_slack13.37.txz
fedd58eb19bc13c9dd88d947827a7370  openssl-solibs-0.9.8zc-i486-1_slack13.37.txz

Slackware x86_64 13.37 packages:
5d48ac1e9339efc35e304c7d48b2e762  openssl-0.9.8zc-x86_64-1_slack13.37.txz
6f5e2b576259477c13f12cbed9be8804  openssl-solibs-0.9.8zc-x86_64-1_slack13.37.txz

Slackware 14.0 packages:
2b678160283bc696565dc8bd8b28c0eb  openssl-1.0.1j-i486-1_slack14.0.txz
f7762615c990713e9e86d4da962f1022  openssl-solibs-1.0.1j-i486-1_slack14.0.txz

Slackware x86_64 14.0 packages:
41010ca37d49b74e7d7dc3f1c6ddc57e  openssl-1.0.1j-x86_64-1_slack14.0.txz
40dc6f3de217279d6140c1efcc0d45c8  openssl-solibs-1.0.1j-x86_64-1_slack14.0.txz

Slackware 14.1 packages:
024ecea55e22e47f9fbb4b81a7b72a51  openssl-1.0.1j-i486-1_slack14.1.txz
0a575668bb41ec4c2160800611f7f627  openssl-solibs-1.0.1j-i486-1_slack14.1.txz

Slackware x86_64 14.1 packages:
d07fe289f7998a584c2b0d9810a8b9aa  openssl-1.0.1j-x86_64-1_slack14.1.txz
1ffc5d0c02b0c60cefa5cf9189bfc71d  openssl-solibs-1.0.1j-x86_64-1_slack14.1.txz

Slackware -current packages:
53c9f51a79460bbfc5dec5720317cd53  a/openssl-solibs-1.0.1j-i486-1.txz
cc059aa63494f3b005a886c70bc3f5d6  n/openssl-1.0.1j-i486-1.txz

Slackware x86_64 -current packages:
500709555e652adcd84b4e02dfab4eeb  a/openssl-solibs-1.0.1j-x86_64-1.txz
c483ca9c450fa90a901ac013276ccc53  n/openssl-1.0.1j-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg openssl-1.0.1j-i486-1_slack14.1.txz openssl-solibs-1.0.1j-i486-1_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQ+sX4ACgkQakRjwEAQIjMnYwCggSNccNsCi57a+p6F6/wBJNMr
njcAn08K5PJNtkMeLWV18epIMDLm+Vyg
=7+DM
-----END PGP SIGNATURE-----
Slackware™ is a trademark of Patrick Volkerding.