2006-9-30 12:17:59
发布日期:2006-09-26
更新日期:2006-09-30
受影响系统:
FreeBSD FreeBSD 6.1
FreeBSD FreeBSD 6.0
FreeBSD FreeBSD 5.5
FreeBSD FreeBSD 5.4
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 4.11
OpenSSL Project OpenSSL < 0.9.8d
OpenSSL Project OpenSSL < 0.9.7l
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux Desktop 4
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 不受影响系统:
OpenSSL Project OpenSSL 0.9.8d
OpenSSL Project OpenSSL 0.9.7l
描述:
BUGTRAQ ID: 20249
CVE(CAN) ID: CVE-2006-3738
OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。
OpenSSL的SSL_get_shared_ciphers()函数在处理共享密码列表的长度时存在缓冲区溢出漏洞,远程攻击者可以向使用这个函数的应用程序发送密码列表来触发这个漏洞,导致执行任意代码。
<*来源:Tavis Ormandy (taviso@gentoo.org)
Will Drewry (wad@google.com)
链接:http://www.kb.cert.org/vuls/id/547300
http://www.openssl.org/news/secadv_20060928.txt
http://lwn.net/Alerts/201933
http://www.debian.org/security/2005/dsa-1185
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:23.openssl.asc
*>
建议:
厂商补丁:
Debian
------
Debian已经为此发布了一个安全公告(DSA-1185-1)以及相应补丁:
DSA-1185-1:New openssl packages fix denial of service
链接:http://www.debian.org/security/2005/dsa-1185
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.dsc
Size/MD5 checksum: 639 fbf460591348b14103a3819d23164aee
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3.diff.gz
Size/MD5 checksum: 29882 25e5c57ee6c86d1e4cc335937040f251
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474
Alpha architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 3341810 73ef8e1cafbfd142a903bd93535a2428
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 2448006 b42d228cd1cb48024b25f5bd7c6724b8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_alpha.deb
Size/MD5 checksum: 930188 b0b9a46a47a1992ed455f993b6007450
AMD64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 2693668 7a6d9f9ad43192bcfe9ed22bd4c227cb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 703308 239e07d0029b78d339da49ea8dacb554
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_amd64.deb
Size/MD5 checksum: 903744 de3413bf58707040d19a606311548ec7
ARM architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 2556374 4f3d5a82ab27e46f6174616dd2f0818c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 690118 80812ffefacc7d9800ce5286909aa815
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_arm.deb
Size/MD5 checksum: 894114 053579483c0d83c11a4b15ade5e09d3b
HP Precision architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 2695876 bee86edc3db3ac76a32efb84b1a1cfab
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 791316 5dfd66672700232356a26258a76bcffa
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_hppa.deb
Size/MD5 checksum: 914574 bc996d3cd86b18090ee4c2f3f31dbdbc
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 2553694 ceea98c69ca44649ee2c98cff0364e4b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 2264996 111668559caa8ea95ad3100af67e163e
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_i386.deb
Size/MD5 checksum: 902750 39b743a6a47517245c3fba9289c86ddf
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 3396192 54868b4f5c27f5dc0a65b82594aa8bb0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 1038386 7fcec764f3b3d3ee53588791f7588ad9
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_ia64.deb
Size/MD5 checksum: 975118 18239f1932f399df0396e81a1e57e5e3
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 2317346 cf221d4a25c8913c1183078f1974b46b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 661672 1a1e72d032cbd37400a65ef7ddf9af6d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_m68k.deb
Size/MD5 checksum: 889874 6eaaf9b7b9651b37437b78d7a95a562a
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 2779474 383cc3f4bd2c75515e415c48fc6c66eb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 706660 aaa773471c553fd971b3158e35ceb675
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mips.deb
Size/MD5 checksum: 896780 21c648b8e817ce098d9d85f311163e34
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 2767338 bc2e40477ad28b1eedb69e6542b1ab08
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 694486 8c31bcea415ae3d725844e45a733d7fe
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_mipsel.deb
Size/MD5 checksum: 895860 8af869dc9a903f8a226d33cdcffc7eab
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 2775400 91f923d2f4f3938ef8a786b291865f0a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 779452 3b094894ca6d75b7c86684c7cd62f5bf
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_powerpc.deb
Size/MD5 checksum: 908316 b93dffc572d91d9e4154b73c57b41e88
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 2717840 a96fb19009ddc10b1901f34e232109ae
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 813968 1cf6dbddb023dfe8c55d30d19bc0ff57
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_s390.deb
Size/MD5 checksum: 918504 73d2f71ec2c8ebd4cc3f481096202664
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 2630560 059abd03c994e3d6851f38f6f7dd5446
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 1886038 4900a7af6cbef9e37c902a3c14ac33ac
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge3_sparc.deb
Size/MD5 checksum: 924472 27f194ff2250fc91d0375c02d6686272
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
FreeBSD
-------
FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-06:23)以及相应补丁:
FreeBSD-SA-06:23:Multiple problems in crypto(3)
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:23.openssl.asc
补丁下载:
执行以下步骤之一:
1) 将有漏洞的系统升级到4-STABLE, 5-STABLE或6-STABLE,或修改日期之后的RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3或RELENG_4_11安全版本.
2) 为当前系统打补丁:
以下补丁确认可应用于FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0和6.1系统.
a) 从以下位置下载相关补丁,并使用PGP工具验证附带的PGP签名.
# fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-06:23/openssl.patch.asc
b) 以root执行以下命令:
# cd /usr/src
# patch < /path/to/patch
c) 如<URL: http://www.freebsd.org/handbook/makeworld.html> 所述重新编译并重启系统.
OpenSSL Project
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.openssl.org/source/openssl-0.9.7l.tar.gz
http://www.openssl.org/source/openssl-0.9.8d.tar.gz
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2006:0695-01)以及相应补丁:
RHSA-2006:0695-01:Important: openssl security update
链接:http://lwn.net/Alerts/201933
|
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)