Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2007-5135

An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. We recommend that you upgrade your openssl packages.

Source

Debian Security Advisory

DSA-1379-1 openssl -- off-by-one error/buffer overflow

Date Reported:

02 Oct 2007

Affected Packages:

openssl

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 444435.
In Mitre's CVE dictionary: CVE-2007-5135.

More information:

An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application.

For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5.

For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch4.

For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9.

We recommend that you upgrade your openssl packages.

Fixed in:

Debian GNU/Linux 3.1 (oldstable)

Source:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.diff.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5.dsc
Alpha:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_alpha.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_amd64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_arm.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_hppa.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_i386.udeb
Intel IA-64:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_ia64.udeb
Motorola 680x0:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_m68k.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_m68k.udeb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mips.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_mipsel.udeb
PowerPC:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_powerpc.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_s390.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge5_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3sarge5_sparc.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge5_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge5_sparc.deb

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.dsc; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.diff.gz; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_alpha.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_alpha.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_amd64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_amd64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_arm.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_arm.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_hppa.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_hppa.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_i386.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_i386.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_ia64.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_ia64.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mips.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mips.udeb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mipsel.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mipsel.udeb
PowerPC:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_powerpc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_powerpc.udeb
IBM S/390:: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_s390.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_s390.udeb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_sparc.deb; http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_sparc.udeb; http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

DSA-1379-1 openssl -- off-by-one error/buffer overflow

Debian Security Advisory

DSA-1379-1 openssl -- off-by-one error/buffer overflow

Debian GNU/Linux 3.1 (oldstable)

Debian GNU/Linux 4.0 (etch)

Vulmon Search

About

Products

Connect