Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] openssl (SSA:2013-040-01)
Date: Sat, 9 Feb 2013 15:03:57 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  openssl (SSA:2013-040-01)

New openssl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,
14.0, and -current to fix security issues.


Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz:  Upgraded.
    Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
  This addresses the flaw in CBC record processing discovered by
  Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
  at: http://www.isg.rhul.ac.uk/tls/
  Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
  Security Group at Royal Holloway, University of London
  (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
  Emilia Käsper for the initial patch.
  (CVE-2013-0169)
  [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
    Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
  ciphersuites which can be exploited in a denial of service attack.
  Thanks go to and to Adam Langley <agl@chromium.org> for discovering
  and detecting this bug and to Wolfgang Ettlinger
  <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
  (CVE-2012-2686)
  [Adam Langley]
    Return an error when checking OCSP signatures when key is NULL.
  This fixes a DoS attack. (CVE-2013-0166)
  [Steve Henson]
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
  (* Security fix *)
patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz:  Upgraded.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-0.9.8y-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.1.tgz

Updated packages for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8y-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.2.tgz

Updated packages for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8y-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.0.txz

Updated packages for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8y-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.0.txz

Updated packages for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8y-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.1.txz

Updated packages for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8y-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz

Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8y-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.37.txz

Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8y-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.37.txz

Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz

Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1d-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1d-x86_64-1_slack14.0.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1d-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1d-i486-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1d-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1d-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 12.1 packages:
5193bca00070ccac309ea3384e67a657  openssl-0.9.8y-i486-1_slack12.1.tgz
76fb6bede444b059e575777092c78575  openssl-solibs-0.9.8y-i486-1_slack12.1.tgz

Slackware 12.2 packages:
5a3167936ba69442a795ed62f1ec29b2  openssl-0.9.8y-i486-1_slack12.2.tgz
ed20f551e0912a5f708da9a3c4d7ac5e  openssl-solibs-0.9.8y-i486-1_slack12.2.tgz

Slackware 13.0 packages:
f059432e11a6b17643e7b8f1d78c5ce3  openssl-0.9.8y-i486-1_slack13.0.txz
46c623b2e58053d308b3d9eb735be26b  openssl-solibs-0.9.8y-i486-1_slack13.0.txz

Slackware x86_64 13.0 packages:
4fb6f07f85ec4ea26cc67d8b1c037fa9  openssl-0.9.8y-x86_64-1_slack13.0.txz
55bafd74f182806b1dcd076f31683743  openssl-solibs-0.9.8y-x86_64-1_slack13.0.txz

Slackware 13.1 packages:
9713a64881622c63d0756ec9a5914980  openssl-0.9.8y-i486-1_slack13.1.txz
5d8e3984389bd080bc37b9d1276c7a7d  openssl-solibs-0.9.8y-i486-1_slack13.1.txz

Slackware x86_64 13.1 packages:
821c76387f3ffa388af9e5bf81185758  openssl-0.9.8y-x86_64-1_slack13.1.txz
b6d525a53b4cda641166f19ee70a9650  openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz

Slackware 13.37 packages:
5195be05b85f5eb2bd4bf9ebf0a73ff9  openssl-0.9.8y-i486-1_slack13.37.txz
5248a839148fa91de52361335dc051f5  openssl-solibs-0.9.8y-i486-1_slack13.37.txz

Slackware x86_64 13.37 packages:
15e13676d0def5f0dac1e7a4704e0016  openssl-0.9.8y-x86_64-1_slack13.37.txz
d4e5bd308d2e918c6bd7616343370c49  openssl-solibs-0.9.8y-x86_64-1_slack13.37.txz

Slackware 14.0 packages:
736ca80a05b57a6f9bf2821405757466  openssl-1.0.1d-i486-1_slack14.0.txz
32aba4ad2fb26b5fb38fc4e5016dbc0f  openssl-solibs-1.0.1d-i486-1_slack14.0.txz

Slackware x86_64 14.0 packages:
8c227f3b54e4650971e965d64d99713b  openssl-1.0.1d-x86_64-1_slack14.0.txz
6dbd931a3718de68d42f20db99c4f578  openssl-solibs-1.0.1d-x86_64-1_slack14.0.txz

Slackware -current packages:
9a8de5df0464c0c9e2032edba2ffbd61  a/openssl-solibs-1.0.1d-i486-1.txz
b4a36988d1c355041d2179d5f7190c92  n/openssl-1.0.1d-i486-1.txz

Slackware x86_64 -current packages:
35e1b575b406bc8a646f620467d4a27d  a/openssl-solibs-1.0.1d-x86_64-1.txz
063e0baf782651bdcab8c56f30df651d  n/openssl-1.0.1d-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg openssl-1.0.1d-i486-1_slack14.0.txz openssl-solibs-1.0.1d-i486-1_slack14.0.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEWxCIACgkQakRjwEAQIjMrcQCeMRvx/xXiie1v4RmAHDEU+o4C
Gw8AnjjDagZvhZEXUaUQnXhFaQTSGA8z
=oKfO
-----END PGP SIGNATURE-----
Slackware™ is a trademark of Patrick Volkerding.