Subject: [OpenPKG-SA-2003.044] OpenPKG Security Advisory (openssl)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2003.044 30-Sep-2003
________________________________________________________________________
Package: openssl
Vulnerability: denial of service, possibly arbitrary code execution
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
OpenPKG 1.3 <= openssl-0.9.7b-1.3.1 >= openssl-0.9.7b-1.3.2
OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4
Affected Releases: Dependent Packages:
OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl
distcache dsniff easysoap ethereal* exim fetchmail
imap imapd imaputils inn jabberd kde-base kde-libs
linc links lynx mailsync meta-core mico* mixmaster
monit* mozilla mutt mutt15 nail neon nessus-libs
nmap openldap openssh openvpn perl-ssl pgadmin php*
pine* postfix* postgresql pound proftpd* qpopper
rdesktop samba samba3 sasl scanssh sendmail* siege
sio* sitecopy snmp socat squid* stunnel subversion
suck sysmon tcpdump tinyca w3m wget xmlsec
OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
imap imapd inn links lynx mico* mutt nail neon
openldap openssh perl-ssl php* postfix* postgresql
proftpd* qpopper rdesktop samba sasl scanssh
sendmail* siege sio* sitecopy snmp socat squid*
stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn
links lynx mico* mutt nail neon openldap openssh
perl-ssl postfix* postgresql qpopper rdesktop samba
sasl scanssh sendmail* siege sitecopy snmp socat
stunnel sysmon tcpdump tinyca w3m wget
(*) marked packages are only affected if certain build
options ("with_xxx") were used at build time. See
Appendix below for details.
Description:
According to an OpenSSL [0] security advisory [1], multiple
vulnerabilities exist in OpenSSL versions up to and including 0.9.6j
and 0.9.7b:
1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1
parser can trigger a bug in the deallocation of the corresponding
data structure, corrupting the stack.
2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances.
3. A malformed public key in a certificate will crash the verify code
if it is set to ignore public key decoding errors (which is usually
not the case, except for debugging purposes).
4. Due to an error in the SSL/TLS protocol handling, a server will
parse a client certificate when one is not specifically requested.
This means that all OpenSSL based SSL/TLS servers can be attacked
using vulnerabilities 1, 2 and 3 even if they don't enable client
authentication.
The Common Vulnerabilities and Exposures (CVE) project assigned the
ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the
problems.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and it's dependent packages (see above), too. [5][6]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
location, verify its integrity [11], build a corresponding binary
RPM from it [5] and update your OpenPKG installation by applying the
binary RPM [6]. For the current release OpenPKG 1.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.3/UPD
ftp> get openssl-0.9.7b-1.3.2.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm
$ <prefix>/bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm
Additionally, we you have to rebuild and reinstall all dependent
packages (see above), too. [5][6]
________________________________________________________________________
Appendix:
Some packages are only affected if certain package options
("with_xxx") were used at build time. Please check whether you are
affected by running "<prefix>/bin/rpm -qi <package>". The table below
lists all those packages, their options and values that make up the
difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2.
Packages or options that were not available in a particular release
are marked "=".
package option "with_" CUR 1.3 1.2
-----------------------------------------
apache mod_ssl yes yes yes
: mod_php_pgsql yes yes =
: mod_php_openssl yes yes yes
: mod_php_openldap yes yes yes
: mod_php_imap yes yes =
: mod_php3_openssl yes yes yes
: mod_auth_ldap yes yes yes
ethereal openssl yes yes yes
mico ssl yes yes yes
monit ssl yes = =
php openssl yes yes =
: imap yes yes =
pine ssl yes = =
postfix tls yes yes yes
: ldap yes yes =
proftpd pgsql yes yes =
: ldap yes yes =
sendmail tls yes yes yes
: sasl yes yes yes
: ldap yes yes yes
sio bio yes yes =
squid ssl yes yes =
________________________________________________________________________
References:
[0] http://www.openssl.org/
[1] http://www.openssl.org/news/secadv_20030930.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
[5] http://www.openpkg.org/tutorial.html#regular-source
[6] http://www.openpkg.org/tutorial.html#regular-binary
[7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm
[8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm
[9] ftp://ftp.openpkg.org/release/1.2/UPD/
[10] ftp://ftp.openpkg.org/release/1.3/UPD/
[11] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQE/eX0UgHWT4GPEy58RAplhAJ0c+GMqHgDjrgIYdcCkgKi/jzgWtgCeLc5T
B84GXRZS675YJYwrEc5Audk=
=+vWe
-----END PGP SIGNATURE-----