2009年3月30日

[installer 1873] OpenSSL 0.9.8k

openssl-0.9.8k がリリースされました。

・openssl-0.9.8k
http://www.openssl.org/
ftp://ftp.openssl.org/source/openssl-0.9.8k.tar.gz
http://www.openssl.org/source/openssl-0.9.8k.tar.gz

セキュリティホール修正が含まれています。

・OpenSSL Security Advisory [25-Mar-2009]
http://www.openssl.org/news/secadv_20090325.txt
- ASN1 printing crash
- Incorrect Error Checking During CMS verification.
- Invalid ASN1 clearing check

・OpenSSL CHANGES
http://www.openssl.org/source/exp/CHANGES

Changes between 0.9.8j and 0.9.8k [25 Mar 2009]

*) Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If sizeof(void *) > sizeof(long) this can result in
zeroing past the valid field. (CVE-2009-0789)
[Paolo Ganci <Paolo.Ganci@xxxxx>]

*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
[Ivan Nestlerode <inestlerode@xxxxx>]

*) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590)
[Steve Henson]

*) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
[Steve Henson]

*) Permit restricted recursion of ASN1 strings. This is needed in practice
to handle some structures.
[Steve Henson]

*) Improve efficiency of mem_gets: don't search whole buffer each time
for a '\n'
[Jeremy Shapiro <jnshapir@xxxxx>]

*) New -hex option for openssl rand.
[Matthieu Herrb]

*) Print out UTF8String and NumericString when parsing ASN1.
[Steve Henson]

*) Support NumericString type for name components.
[Steve Henson]

*) Allow CC in the environment to override the automatically chosen
compiler. Note that nothing is done to ensure flags work with the
chosen compiler.
[Ben Laurie]

--
//////////////////////////////////////////////////////////////////
Managed Services Division Tel. +81-44-812-8418
NEC Informatec Systems,Ltd. Susumu Kajino


投稿者 xml-rpc : 2009年3月30日 06:16
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/83820
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。