Vulnerability Bulletins |
Múliples vulnerabilidades en OpenSSL |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Denegación de Servicio |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software |
OpenSSL < 0.9.8k IBM AIX 6.1 < 0.9.8.803 IBM AIX 5.3 < 0.9.8.803 IBM AIX 5.2 < 0.9.8.803 HP SSL <= v1.3 |
Description |
|
|
Se han descubierto múltiples vulnerabilidades en OpenSSL 0.9.8. Las vulnerabilidades son descritas a continuación: - CVE-2009-0590: La vulnerabilidad reside en un error en la función "ASN1_STRING_print_ex". Un atacante remoto podría causar una denegación de servicio imprimiendo por pantalla las cadenas "BMPString" o "UniversalString" con un valor de longitud inválido. - CVE-2009-0591: La vulnerabilidad reside en un error en el manejo de atributos con signo inválidos en la función "CMS_verify()". Un atacante remoto podría repudiar una firma que originalmente era válida pero que actualmente es inválida. - CVE-2009-0789: La vulnerabilidad reside en un error en el manejo de estructuras ASN.1 erróneas en la función "CMS_verify()". Un atacante remoto podría causar una denegación de servicio mediante el uso de estas estructuras en la clave pública de un certificado. |
|
Solution |
|
|
Actualización de software OpenSSL OpenSSL 0.9.8 k http://www.openssl.org/source/ Debian (DSA-1763-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5.diff.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch3.dsc http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch3.diff.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5.dsc http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz alpha (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_alpha.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_alpha.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_alpha.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_alpha.deb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_amd64.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_amd64.udeb arm (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_arm.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_arm.udeb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_arm.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_arm.deb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_hppa.udeb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_hppa.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_i386.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_i386.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_i386.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_i386.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_ia64.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_ia64.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_ia64.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_mips.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_mips.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_mips.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_mips.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_mips.deb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_mipsel.udeb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_mipsel.deb powerpc (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_powerpc.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_powerpc.deb s390 (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_s390.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_s390.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_s390.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_s390.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_s390.deb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch5_sparc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch3_sparc.deb http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch3_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch5_sparc.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch5_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch5_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch5_sparc.deb Debian (DSA-1763-1) Debian Linux 5.0 Source http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1.diff.gz http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1.dsc alpha (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_alpha.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_alpha.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_alpha.deb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_amd64.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_amd64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_amd64.deb arm (ARM) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_arm.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_arm.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_arm.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_arm.deb armel (ARM EABI) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_armel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_armel.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_armel.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_armel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_armel.deb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_hppa.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_hppa.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_i386.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_i386.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_ia64.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_ia64.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_mips.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_mips.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_mips.deb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_mipsel.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_mipsel.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_mipsel.deb powerpc (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_powerpc.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_powerpc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_powerpc.deb s390 (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_s390.udeb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_s390.deb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_s390.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_s390.deb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny1_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny1_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny1_sparc.deb http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny1_sparc.udeb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny1_sparc.deb Sun (258048) Sun Solaris 10 / pendiente de resolver OpenSolaris / builds snv_113 o posterior http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage IBM Descargar parches en: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux. Hewlett-Packard HP-UX B.11.11 / A.00.09.07m.049 HP-UX B.11.23 / A.00.09.07m.050 HP-UX B.11.31 / A.00.09.08k.003 http://www.itrc.hp.com/service/patch/mainPage.do Red Hat (RHSA-2009:1335-2) RHEL Desktop Workstation (v. 5 cliente) Red Hat Enterprise Linux (v. 5 servidor) Red Hat Enterprise Linux Desktop (v. 5 cliente) https://rhn.redhat.com/ Hewlett-Packard (HPSBOV02540) HP SSL v 1.4 para OpenVMS plataformas Alpha e Integrity http://h71000.www7.hp.com/openvms/products/ssl/ssl.html |
|
Standar resources |
|
| Property | Value |
| CVE |
CVE-2009-0590 CVE-2009-0591 CVE-2009-0789 |
| BID | 34256 |
Other resources |
|
|
OpenSSL http://www.openssl.org/news/secadv_20090325.txt Debian Security Advisory (DSA-1763-1) http://lists.debian.org/debian-security-announce/2009/msg00073.html Sun Alert Notification (258048) http://sunsolve.sun.com/search/document.do?assetkey=1-66-258048-1 IBM Security Advisory http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4629&myns=paix52&mync=E SUSE Security Advisory (SUSE-SR:2009:010) http://www.novell.com/linux/security/advisories/2009_10_sr.html HP SECURITY BULLETIN (HPSBUX02435) http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01762423-1 Red Hat Security Advisory (RHSA-2009:1335-2) https://rhn.redhat.com/errata/RHSA-2009-1335.html HP SECURITY BULLETIN (HPSBOV02540) https://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02227287 |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2009-03-31 |
| 1.1 | Aviso emitido por Debian (DSA-1763-1) | 2009-04-07 |
| 1.2 | Aviso emitido por Sun (258048) | 2009-05-06 |
| 1.3 | Aviso emitido por IBM | 2009-05-12 |
| 1.4 | Aviso emitido por Suse (SUSE-SR:2009:010) | 2009-05-13 |
| 1.5 | Aviso emitido por HP (HPSBUX02435) | 2009-06-10 |
| 1.6 | Aviso emitido por Red Hat (RHSA-2009:1335-2) | 2009-09-03 |
| 1.7 | Aviso emitido por Red Hat (RHSA-2010:0163-1) | 2010-03-31 |
| 1.8 | Aviso emitido por HP (HPSBOV02540) | 2010-06-17 |