[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Dragora-bug] Dragora 2.2. updates #011
|
From: |
Matias A. Fonzo |
|
Subject: |
[Dragora-bug] Dragora 2.2. updates #011 |
|
Date: |
Thu, 16 Oct 2014 18:14:57 -0300 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following packages have been updated (#011):
openssl
We recommend that you upgrade your packages as soon as possible.
Details
- -------
Multiple vulnerabilities have been fixed for OpenSSL 1.0.0o. Some of
them:
CVE-2014-3513[1]:
A flaw in the DTLS SRTP extension parsing code allows an attacker,
who sends a carefully crafted handshake message, to cause OpenSSL to
fail to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that have
been compiled with OPENSSL_NO_SRTP defined are not affected.
CVE-2014-3567[3]:
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory causing
a memory leak. By sending a large number of invalid session tickets an
attacker could exploit this issue in a Denial Of Service attack.
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
For more information, see: http://www.openssl.org/news/secadv_20141015.txt
Obtain the packages from
* 32 bit *
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/32b/openssl-1.0.0o-i486-1.tlz
* 64 bit *
http://gungre.ch/dragora/mirror/dragora-2.2/upgrades/packages/64b/openssl-1.0.0o-x86_64-1.tlz
Checksums (SHA1)
- ----------------
023a38c8a5e1dbbead17c8abd96f80cfd65a78de openssl-1.0.0o-i486-1.tlz
d03b0555299f8e0d87afe591d8cbbd646fa27658 openssl-1.0.0o-x86_64-1.tlz
If you need the detached GPG signatures[1] just append .sig to the URLs above.
Upgrading
- ---------
To upgrade a package you issue the following command:
pkg upgrade <package.tlz>
Notes
=====
You can get all the upgrades via RSYNC, for example, to obtain 32-bit
packages, type:
# rsync -avPiz gungre.ch::dragora/dragora-2.2/upgrades/packages/32b .
Then use the sha1sum(1) tool for a complete checksumming:
# sha1sums -c SHA1SUMS
`pkg upgrade' can be used to upgrade all the packages (installed or not
installed); for more information, take a look at:
http://dragora.org/wiki/doku.php/guides/d2/pkgmanager
Footnotes:
[1] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify openssl-1.0.0o-i486-1.tlz.sig
If that command fails because you don't have the required public key,
then run these commands to import it:
wget http://gungre.ch/dragora/mirror/dragora-2.2/KEY
gpg --import KEY
and re-run the `gpg --verify' sequence.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJUQDU5AAoJEKpCZu9BMdKot28H+QFqu5eh6QW3Ljj5dHzcD1mp
rImb7PiLpd0nKnmTZFA0F1Iocgj+UekPtGyTyr7wai/Vkqirl9t6ztez4Wg430tm
zn5hmibGew7OpYndL55GfG6kfmBzEMGUvq6RuMMjDlzeyn3xChqU35b/Kv8WHhd2
+x0Rc1cbxxfFt/izIQFxvqzhCmsXrk8ymQlk+GMT9Zl+CtxNG4wC5MrTZ1z/wyOQ
f6BXFBVZMSy0FZ8b24yXW4l9/cRD5tPuN0gKWlvIkDmjyd1nWUWNcJ+KoS4OSo5d
xFNp4k465KbHtBIQctvRtthc3fnaJ1RP/fEmyS36weLGCAxxvv2MxrqNfyEYxV0=
=wFmS
-----END PGP SIGNATURE-----
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Dragora-bug] Dragora 2.2. updates #011,
Matias A. Fonzo <=