Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-236: OpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Packet Denial of Service Vulnerability

[CVE-2009-1379]

September 22, 2009 15:00 GMT
PROBLEM: OpenSSL is prone to a vulnerability that may allow attackers to cause denial-of-service conditions.
PLATFORM: Canonical, Ubuntu 6.06 LTS, Canonical, Ubuntu 8.04 LTS, Canonical, Ubuntu 8.10, Debian, Debian Linux 4.0, Debian, Debian Linux 5.0, MandrakeSoft, Mandrake Linux 2008.1 X86_64, MandrakeSoft, Mandrake Linux 2008.1, MandrakeSoft, Mandrake Linux Corporate Server 4.0 X86_64, Mandriva, Linux 2009.0, Mandriva, Linux 2009.0 X86_64, OpenSSL, OpenSSL 1.0.0 Beta2, RedHat, Enterprise Linux 5, RedHat, Enterprise Linux 5 Client, RedHat, Enterprise Linux 5 Client Workstation.
ABSTRACT: A remote user can send an out-of-sequence DTLS handshake message to trigger a null pointer dereference in the dtls1_retrieve_buffered_fragment() function in 'ssl/d1_both.c' and cause the target daemon to crash.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-236.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35138/info
XForce
http://xforce.iss.net/xforce/xfdb/50661

  CVE: CVE-2009-1379
IMPACT ASSESSMENT: This risk is low. By sending a specially-crafted DTLS packet, a remote attacker could exploit this vulnerability to cause the application to crash. 
[***** Start CVE-2009-1379 *****]
Discussion:
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. 

The following proof of concept is available:
http://downloads.securityfocus.com/vulnerabilities/exploits/35138.txt

Solution:
Updates are available. Please see the below for more information.

MandrakeSoft Linux Mandrake 2008.1 x86_64

* Mandriva lib64openssl0.9.8-0.9.8g-4.5mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-devel-0.9.8g-4.5mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-static-devel-0.9.8g-4.5mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8g-4.5mdv2008.1.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2008.1

* Mandriva libopenssl0.9.8-0.9.8g-4.5mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-devel-0.9.8g-4.5mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-static-devel-0.9.8g-4.5mdv2008.1.i586.rpm     http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8g-4.5mdv2008.1.i586.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Linux Mandrake 2009.1 x86_64

* Mandriva lib64openssl0.9.8-0.9.8k-1.2mdv2009.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-devel-0.9.8k-1.2mdv2009.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-static-devel-0.9.8k-1.2mdv2009.1.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8k-1.2mdv2009.1.x86_64.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 8.04 LTS powerpc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_powerpc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -4ubuntu3.7_powerpc.udeb

* Ubuntu libssl-dev_0.9.8g-4ubuntu3.7_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3 .7_powerpc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ub untu3.7_powerpc.deb

* Ubuntu libssl0.9.8_0.9.8g-4ubuntu3.7_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu 3.7_powerpc.deb

* Ubuntu openssl-doc_0.9.8g-4ubuntu3.7_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-4ubuntu3.7_all.deb

* Ubuntu openssl_0.9.8g-4ubuntu3.7_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.7_ powerpc.deb

Ubuntu Ubuntu Linux 8.10 powerpc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.4_powerpc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -10.1ubuntu2.4_powerpc.udeb

* Ubuntu libssl-dev_0.9.8g-10.1ubuntu2.4_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubun tu2.4_powerpc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.4_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10. 1ubuntu2.4_powerpc.deb

* Ubuntu libssl0.9.8_0.9.8g-10.1ubuntu2.4_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubu ntu2.4_powerpc.deb

* Ubuntu openssl-doc_0.9.8g-10.1ubuntu2.4_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-10.1ubuntu2.4_all.deb

* Ubuntu openssl_0.9.8g-10.1ubuntu2.4_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2 .4_powerpc.deb

Ubuntu Ubuntu Linux 8.04 LTS sparc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_sparc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -4ubuntu3.7_sparc.udeb

* Ubuntu libssl-dev_0.9.8g-4ubuntu3.7_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3 .7_sparc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ub untu3.7_sparc.deb

* Ubuntu libssl0.9.8_0.9.8g-4ubuntu3.7_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu 3.7_sparc.deb

* Ubuntu openssl-doc_0.9.8g-4ubuntu3.7_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-4ubuntu3.7_all.deb

* Ubuntu openssl_0.9.8g-4ubuntu3.7_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.7_ sparc.deb

Ubuntu Ubuntu Linux 8.10 i386

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.4_i386.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-10.1ubuntu2.4_i386.udeb

* Ubuntu libssl-dev_0.9.8g-10.1ubuntu2.4_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-10.1ubuntu2.4_i386.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.4_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-10.1ubuntu2.4_i386.deb

* Ubuntu libssl0.9.8_0.9.8g-10.1ubuntu2.4_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-10.1ubuntu2.4_i386.deb

* Ubuntu openssl-doc_0.9.8g-10.1ubuntu2.4_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-10.1ubuntu2.4_all.deb

* Ubuntu openssl_0.9.8g-10.1ubuntu2.4_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-1 0.1ubuntu2.4_i386.deb

MandrakeSoft Enterprise Server 5 x86_64

* Mandriva lib64openssl0.9.8-0.9.8h-3.4mdvmes5.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-devel-0.9.8h-3.4mdvmes5.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-static-devel-0.9.8h-3.4mdvmes5.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8h-3.4mdvmes5.x86_64.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 6.06 LTS sparc

* Ubuntu libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.9_sparc.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8a-7ubuntu0.9_sparc.udeb

* Ubuntu libssl-dev_0.9.8a-7ubuntu0.9_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 a-7ubuntu0.9_sparc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8a-7ubuntu0.9_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8a-7ubuntu0.9_sparc.deb

* Ubuntu libssl0.9.8_0.9.8a-7ubuntu0.9_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8a-7ubuntu0.9_sparc.deb

* Ubuntu openssl_0.9.8a-7ubuntu0.9_sparc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7 ubuntu0.9_sparc.deb

Ubuntu Ubuntu Linux 8.04 LTS amd64

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_amd64.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-4ubuntu3.7_amd64.udeb

* Ubuntu libssl-dev_0.9.8g-4ubuntu3.7_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-4ubuntu3.7_amd64.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-4ubuntu3.7_amd64.deb

* Ubuntu libssl0.9.8_0.9.8g-4ubuntu3.7_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-4ubuntu3.7_amd64.deb

* Ubuntu openssl-doc_0.9.8g-4ubuntu3.7_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-4ubuntu3.7_all.deb

* Ubuntu openssl_0.9.8g-4ubuntu3.7_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4 ubuntu3.7_amd64.deb

Ubuntu Ubuntu Linux 6.06 LTS powerpc

* Ubuntu libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.9_powerpc.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8a-7ubuntu0.9_powerpc.udeb

* Ubuntu libssl-dev_0.9.8a-7ubuntu0.9_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 a-7ubuntu0.9_powerpc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8a-7ubuntu0.9_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8a-7ubuntu0.9_powerpc.deb

* Ubuntu libssl0.9.8_0.9.8a-7ubuntu0.9_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8a-7ubuntu0.9_powerpc.deb

* Ubuntu openssl_0.9.8a-7ubuntu0.9_powerpc.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7 ubuntu0.9_powerpc.deb

MandrakeSoft Enterprise Server 5

* Mandriva libopenssl0.9.8-0.9.8h-3.4mdvmes5.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-devel-0.9.8h-3.4mdvmes5.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-static-devel-0.9.8h-3.4mdvmes5.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8h-3.4mdvmes5.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 9.04 sparc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-15ubuntu3.2_sparc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -15ubuntu3.2_sparc.udeb

* Ubuntu libssl-dev_0.9.8g-15ubuntu3.2_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-15ubuntu 3.2_sparc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-15ubuntu3.2_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15u buntu3.2_sparc.deb

* Ubuntu libssl0.9.8_0.9.8g-15ubuntu3.2_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-15ubunt u3.2_sparc.deb

* Ubuntu openssl-doc_0.9.8g-15ubuntu3.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-15ubuntu3.2_all.deb

* Ubuntu openssl_0.9.8g-15ubuntu3.2_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-15ubuntu3.2 _sparc.deb

Ubuntu Ubuntu Linux 9.04 powerpc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-15ubuntu3.2_powerpc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -15ubuntu3.2_powerpc.udeb

* Ubuntu libssl-dev_0.9.8g-15ubuntu3.2_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-15ubuntu 3.2_powerpc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-15ubuntu3.2_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15u buntu3.2_powerpc.deb

* Ubuntu libssl0.9.8_0.9.8g-15ubuntu3.2_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-15ubunt u3.2_powerpc.deb

* Ubuntu openssl-doc_0.9.8g-15ubuntu3.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-15ubuntu3.2_all.deb

* Ubuntu openssl_0.9.8g-15ubuntu3.2_powerpc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-15ubuntu3.2 _powerpc.deb

Ubuntu Ubuntu Linux 8.04 LTS lpia

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_lpia.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -4ubuntu3.7_lpia.udeb

* Ubuntu libssl-dev_0.9.8g-4ubuntu3.7_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-4ubuntu3 .7_lpia.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-4ub untu3.7_lpia.deb

* Ubuntu libssl0.9.8_0.9.8g-4ubuntu3.7_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-4ubuntu 3.7_lpia.deb

* Ubuntu openssl-doc_0.9.8g-4ubuntu3.7_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-4ubuntu3.7_all.deb

* Ubuntu openssl_0.9.8g-4ubuntu3.7_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-4ubuntu3.7_ lpia.deb

Ubuntu Ubuntu Linux 6.06 LTS i386

* Ubuntu libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.9_i386.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8a-7ubuntu0.9_i386.udeb

* Ubuntu libssl-dev_0.9.8a-7ubuntu0.9_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 a-7ubuntu0.9_i386.deb

* Ubuntu libssl0.9.8-dbg_0.9.8a-7ubuntu0.9_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8a-7ubuntu0.9_i386.deb

* Ubuntu libssl0.9.8_0.9.8a-7ubuntu0.9_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8a-7ubuntu0.9_i386.deb

* Ubuntu openssl_0.9.8a-7ubuntu0.9_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7 ubuntu0.9_i386.deb

Ubuntu Ubuntu Linux 8.10 lpia

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.4_lpia.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -10.1ubuntu2.4_lpia.udeb

* Ubuntu libssl-dev_0.9.8g-10.1ubuntu2.4_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubun tu2.4_lpia.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.4_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10. 1ubuntu2.4_lpia.deb

* Ubuntu libssl0.9.8_0.9.8g-10.1ubuntu2.4_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubu ntu2.4_lpia.deb

* Ubuntu openssl-doc_0.9.8g-10.1ubuntu2.4_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-10.1ubuntu2.4_all.deb

* Ubuntu openssl_0.9.8g-10.1ubuntu2.4_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2 .4_lpia.deb

IBM AIX 6.1

* IBM openssl-fips.12.9.8.1101.tar.Z
AIX 6.1 and 5.3: FIPS capable versions less than 12.9.8.1101
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

* IBM openssl.0.9.8.840-AIX5.3_6.1.tar.Z
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

Ubuntu Ubuntu Linux 6.06 LTS amd64

* Ubuntu libcrypto0.9.8-udeb_0.9.8a-7ubuntu0.9_amd64.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8a-7ubuntu0.9_amd64.udeb

* Ubuntu libssl-dev_0.9.8a-7ubuntu0.9_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 a-7ubuntu0.9_amd64.deb

* Ubuntu libssl0.9.8-dbg_0.9.8a-7ubuntu0.9_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8a-7ubuntu0.9_amd64.deb

* Ubuntu libssl0.9.8_0.9.8a-7ubuntu0.9_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8a-7ubuntu0.9_amd64.deb

* Ubuntu openssl_0.9.8a-7ubuntu0.9_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7 ubuntu0.9_amd64.deb

IBM AIX 5.2

* IBM openssl.0.9.8.804-AIX-5.2.tar.Z
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

Ubuntu Ubuntu Linux 9.04 i386

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-15ubuntu3.2_i386.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-15ubuntu3.2_i386.udeb

* Ubuntu libssl-dev_0.9.8g-15ubuntu3.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-15ubuntu3.2_i386.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-15ubuntu3.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-15ubuntu3.2_i386.deb

* Ubuntu libssl0.9.8_0.9.8g-15ubuntu3.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-15ubuntu3.2_i386.deb

* Ubuntu openssl-doc_0.9.8g-15ubuntu3.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-15ubuntu3.2_all.deb

* Ubuntu openssl_0.9.8g-15ubuntu3.2_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-1 5ubuntu3.2_i386.deb

Ubuntu Ubuntu Linux 8.10 sparc

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.4_sparc.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -10.1ubuntu2.4_sparc.udeb

* Ubuntu libssl-dev_0.9.8g-10.1ubuntu2.4_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-10.1ubun tu2.4_sparc.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.4_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-10. 1ubuntu2.4_sparc.deb

* Ubuntu libssl0.9.8_0.9.8g-10.1ubuntu2.4_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-10.1ubu ntu2.4_sparc.deb

* Ubuntu openssl-doc_0.9.8g-10.1ubuntu2.4_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-10.1ubuntu2.4_all.deb

* Ubuntu openssl_0.9.8g-10.1ubuntu2.4_sparc.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-10.1ubuntu2 .4_sparc.deb

Ubuntu Ubuntu Linux 9.04 lpia

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-15ubuntu3.2_lpia.udeb
http://ports.ubuntu.com/pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g -15ubuntu3.2_lpia.udeb

* Ubuntu libssl-dev_0.9.8g-15ubuntu3.2_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl-dev_0.9.8g-15ubuntu 3.2_lpia.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-15ubuntu3.2_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15u buntu3.2_lpia.deb

* Ubuntu libssl0.9.8_0.9.8g-15ubuntu3.2_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/libssl0.9.8_0.9.8g-15ubunt u3.2_lpia.deb

* Ubuntu openssl-doc_0.9.8g-15ubuntu3.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-15ubuntu3.2_all.deb

* Ubuntu openssl_0.9.8g-15ubuntu3.2_lpia.deb
http://ports.ubuntu.com/pool/main/o/openssl/openssl_0.9.8g-15ubuntu3.2 _lpia.deb

MandrakeSoft Linux Mandrake 2009.0

* Mandriva libopenssl0.9.8-0.9.8h-3.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-devel-0.9.8h-3.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-static-devel-0.9.8h-3.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8h-3.4mdv2009.0.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 8.04 LTS i386

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-4ubuntu3.7_i386.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-4ubuntu3.7_i386.udeb

* Ubuntu libssl-dev_0.9.8g-4ubuntu3.7_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-4ubuntu3.7_i386.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-4ubuntu3.7_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-4ubuntu3.7_i386.deb

* Ubuntu libssl0.9.8_0.9.8g-4ubuntu3.7_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-4ubuntu3.7_i386.deb

* Ubuntu openssl-doc_0.9.8g-4ubuntu3.7_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-4ubuntu3.7_all.deb

* Ubuntu openssl_0.9.8g-4ubuntu3.7_i386.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-4 ubuntu3.7_i386.deb

MandrakeSoft Linux Mandrake 2009.0 x86_64

* Mandriva lib64openssl0.9.8-0.9.8h-3.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-devel-0.9.8h-3.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva lib64openssl0.9.8-static-devel-0.9.8h-3.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8h-3.4mdv2009.0.x86_64.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 9.04 amd64

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-15ubuntu3.2_amd64.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-15ubuntu3.2_amd64.udeb

* Ubuntu libssl-dev_0.9.8g-15ubuntu3.2_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-15ubuntu3.2_amd64.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-15ubuntu3.2_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-15ubuntu3.2_amd64.deb

* Ubuntu libssl0.9.8_0.9.8g-15ubuntu3.2_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-15ubuntu3.2_amd64.deb

* Ubuntu openssl-doc_0.9.8g-15ubuntu3.2_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-15ubuntu3.2_all.deb

* Ubuntu openssl_0.9.8g-15ubuntu3.2_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-1 5ubuntu3.2_amd64.deb

MandrakeSoft Linux Mandrake 2009.1

* Mandriva libopenssl0.9.8-0.9.8k-1.2mdv2009.1.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-devel-0.9.8k-1.2mdv2009.1.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva libopenssl0.9.8-static-devel-0.9.8k-1.2mdv2009.1.i586.rpm
http://www.mandriva.com/en/download/

* Mandriva openssl-0.9.8k-1.2mdv2009.1.i586.rpm
http://www.mandriva.com/en/download/

Ubuntu Ubuntu Linux 8.10 amd64

* Ubuntu libcrypto0.9.8-udeb_0.9.8g-10.1ubuntu2.4_amd64.udeb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.8-u deb_0.9.8g-10.1ubuntu2.4_amd64.udeb

* Ubuntu libssl-dev_0.9.8g-10.1ubuntu2.4_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8 g-10.1ubuntu2.4_amd64.deb

* Ubuntu libssl0.9.8-dbg_0.9.8g-10.1ubuntu2.4_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_ 0.9.8g-10.1ubuntu2.4_amd64.deb

* Ubuntu libssl0.9.8_0.9.8g-10.1ubuntu2.4_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9. 8g-10.1ubuntu2.4_amd64.deb

* Ubuntu openssl-doc_0.9.8g-10.1ubuntu2.4_all.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl-doc_0.9. 8g-10.1ubuntu2.4_all.deb

* Ubuntu openssl_0.9.8g-10.1ubuntu2.4_amd64.deb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8g-1 0.1ubuntu2.4_amd64.deb

IBM AIX 5.3

* IBM openssl-fips.12.9.8.1101.tar.Z
AIX 6.1 and 5.3: FIPS capable versions less than 12.9.8.1101
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

* IBM openssl.0.9.8.840-AIX5.3_6.1.tar.Z
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

OpenSSL Project OpenSSL 1.0 Beta2

* OpenSSL Project retrieve_buffered_fragment.patch
http://rt.openssl.org/Ticket/Attachment/22142/10060/retrieve_buffered_ fragment.patch
[***** End CVE-2009-1379 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788