openssl (SSA:2013-040-01)
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] openssl (SSA:2013-040-01)
Date: Sat, 9 Feb 2013 15:03:57 -0800 (PST)





-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security] openssl (SSA:2013-040-01)

New openssl packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,
14.0, and -current to fix security issues.


Here are the details from the Slackware 14.0 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz: Upgraded.
Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
Thanks go to and to Adam Langley <agl@chromium.org> for discovering
and detecting this bug and to Wolfgang Ettlinger
<wolfgang.ettlinger@gmail.com> for independently discovering this issue.
(CVE-2012-2686)
[Adam Langley]
Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2686
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
(* Security fix *)
patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz: Upgraded.
(* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-0.9.8y-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.1.tgz

Updated packages for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-0.9.8y-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/openssl-solibs-0.9.8y-i486-1_slack12.2.tgz

Updated packages for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-0.9.8y-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.0.txz

Updated packages for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-0.9.8y-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.0.txz

Updated packages for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-0.9.8y-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.1.txz

Updated packages for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-0.9.8y-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz

Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-0.9.8y-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/openssl-solibs-0.9.8y-i486-1_slack13.37.txz

Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-0.9.8y-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/openssl-solibs-0.9.8y-x86_64-1_slack13.37.txz

Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1d-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1d-i486-1_slack14.0.txz

Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1d-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1d-x86_64-1_slack14.0.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1d-i486-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1d-i486-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1d-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1d-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 12.1 packages:
5193bca00070ccac309ea3384e67a657 openssl-0.9.8y-i486-1_slack12.1.tgz
76fb6bede444b059e575777092c78575 openssl-solibs-0.9.8y-i486-1_slack12.1.tgz

Slackware 12.2 packages:
5a3167936ba69442a795ed62f1ec29b2 openssl-0.9.8y-i486-1_slack12.2.tgz
ed20f551e0912a5f708da9a3c4d7ac5e openssl-solibs-0.9.8y-i486-1_slack12.2.tgz

Slackware 13.0 packages:
f059432e11a6b17643e7b8f1d78c5ce3 openssl-0.9.8y-i486-1_slack13.0.txz
46c623b2e58053d308b3d9eb735be26b openssl-solibs-0.9.8y-i486-1_slack13.0.txz

Slackware x86_64 13.0 packages:
4fb6f07f85ec4ea26cc67d8b1c037fa9 openssl-0.9.8y-x86_64-1_slack13.0.txz
55bafd74f182806b1dcd076f31683743 openssl-solibs-0.9.8y-x86_64-1_slack13.0.txz

Slackware 13.1 packages:
9713a64881622c63d0756ec9a5914980 openssl-0.9.8y-i486-1_slack13.1.txz
5d8e3984389bd080bc37b9d1276c7a7d openssl-solibs-0.9.8y-i486-1_slack13.1.txz

Slackware x86_64 13.1 packages:
821c76387f3ffa388af9e5bf81185758 openssl-0.9.8y-x86_64-1_slack13.1.txz
b6d525a53b4cda641166f19ee70a9650 openssl-solibs-0.9.8y-x86_64-1_slack13.1.txz

Slackware 13.37 packages:
5195be05b85f5eb2bd4bf9ebf0a73ff9 openssl-0.9.8y-i486-1_slack13.37.txz
5248a839148fa91de52361335dc051f5 openssl-solibs-0.9.8y-i486-1_slack13.37.txz

Slackware x86_64 13.37 packages:
15e13676d0def5f0dac1e7a4704e0016 openssl-0.9.8y-x86_64-1_slack13.37.txz
d4e5bd308d2e918c6bd7616343370c49 openssl-solibs-0.9.8y-x86_64-1_slack13.37.txz

Slackware 14.0 packages:
736ca80a05b57a6f9bf2821405757466 openssl-1.0.1d-i486-1_slack14.0.txz
32aba4ad2fb26b5fb38fc4e5016dbc0f openssl-solibs-1.0.1d-i486-1_slack14.0.txz

Slackware x86_64 14.0 packages:
8c227f3b54e4650971e965d64d99713b openssl-1.0.1d-x86_64-1_slack14.0.txz
6dbd931a3718de68d42f20db99c4f578 openssl-solibs-1.0.1d-x86_64-1_slack14.0.txz

Slackware -current packages:
9a8de5df0464c0c9e2032edba2ffbd61 a/openssl-solibs-1.0.1d-i486-1.txz
b4a36988d1c355041d2179d5f7190c92 n/openssl-1.0.1d-i486-1.txz

Slackware x86_64 -current packages:
35e1b575b406bc8a646f620467d4a27d a/openssl-solibs-1.0.1d-x86_64-1.txz
063e0baf782651bdcab8c56f30df651d n/openssl-1.0.1d-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg openssl-1.0.1d-i486-1_slack14.0.txz openssl-solibs-1.0.1d-i486-1_slack14.0.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

n+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEWxCIACgkQakRjwEAQIjMrcQCeMRvx/xXiie1v4RmAHDEU+o4C
Gw8AnjjDagZvhZEXUaUQnXhFaQTSGA8z
=oKfO
-----END PGP SIGNATURE-----