Thursday, January 15, 2009

Security Updates: NTP, OpenSSL, Bind

Four security updates has been released today, which are NTP, OpenSSL (-Solibs), and Bind. The detailed changes are described in the latest -Current changelog. In -Current, there's also one addition update, which are svgalib_helper being recompiled to fix issues with an invalid module format when loading the svgalib_helper module on 2.6.27.7-smp systems.
Wed Jan 14 20:32:54 CST 2009
a/openssl-solibs-0.9.8i-i486-2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed signatures from being considered good. This flaw could possibly allow a 'man in the middle' attack.
For more information, see:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
(* Security fix *)

l/svgalib_helper-1.9.25_2.6.27.7-i486-2.tgz: Recompiled against a correct kernel source tree to fix issues with an invalid module format when loading the svgalib_helper module on 2.6.27.7-smp systems.

n/bind-9.4.3_P1-i486-1.tgz:
Upgraded to bind-9.4.3-P1.
Fixed checking on return values from OpenSSL's EVP_VerifyFinal and DSA_do_verify functions to prevent spoofing answers returned from zones using the DNSKEY algorithms DSA and NSEC3DSA.
For more information, see:
https://www.isc.org/node/373
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
(* Security fix *)

n/ntp-4.2.4p6-i486-1.tgz:
[Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value.
For more information, see:
https://lists.ntp.org/pipermail/announce/2009-January/000055.html
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
(* Security fix *)

n/openssl-0.9.8i-i486-2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed signatures from being considered good. This flaw could possibly allow a 'man in the middle' attack.
For more information, see:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
(* Security fix *)