<<< Date Index >>>     <<< Thread Index >>>

Subject: [OpenPKG-SA-2003.044] OpenPKG Security Advisory (openssl)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2003.044                                          30-Sep-2003
________________________________________________________________________

Package:             openssl
Vulnerability:       denial of service, possibly arbitrary code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:         Corrected Packages:
OpenPKG CURRENT      <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
OpenPKG 1.3          <= openssl-0.9.7b-1.3.1    >= openssl-0.9.7b-1.3.2
OpenPKG 1.2          <= openssl-0.9.7-1.2.3     >= openssl-0.9.7-1.2.4

Affected Releases:   Dependent Packages:

OpenPKG CURRENT      apache* bind blender cadaver cfengine cpu cups curl
                     distcache dsniff easysoap ethereal* exim fetchmail
                     imap imapd imaputils inn jabberd kde-base kde-libs
                     linc links lynx mailsync meta-core mico* mixmaster
                     monit* mozilla mutt mutt15 nail neon nessus-libs
                     nmap openldap openssh openvpn perl-ssl pgadmin php*
                     pine* postfix* postgresql pound proftpd* qpopper
                     rdesktop samba samba3 sasl scanssh sendmail* siege
                     sio* sitecopy snmp socat squid* stunnel subversion
                     suck sysmon tcpdump tinyca w3m wget xmlsec

OpenPKG 1.3          apache* bind cfengine cpu curl ethereal* fetchmail
                     imap imapd inn links lynx mico* mutt nail neon
                     openldap openssh perl-ssl php* postfix* postgresql
                     proftpd* qpopper rdesktop samba sasl scanssh
                     sendmail* siege sio* sitecopy snmp socat squid*
                     stunnel suck sysmon tcpdump tinyca w3m wget xmlsec

OpenPKG 1.2          apache* bind cpu curl ethereal* fetchmail imap inn
                     links lynx mico* mutt nail neon openldap openssh
                     perl-ssl postfix* postgresql qpopper rdesktop samba
                     sasl scanssh sendmail* siege sitecopy snmp socat
                     stunnel sysmon tcpdump tinyca w3m wget

                 (*) marked packages are only affected if certain build
                     options ("with_xxx") were used at build time. See
                     Appendix below for details.

Description:
  According to an OpenSSL [0] security advisory [1], multiple
  vulnerabilities exist in OpenSSL versions up to and including 0.9.6j
  and 0.9.7b:

  1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1
     parser can trigger a bug in the deallocation of the corresponding
     data structure, corrupting the stack.

  2. Unusual ASN.1 tag values can cause an out of bounds read under
     certain circumstances.

  3. A malformed public key in a certificate will crash the verify code
     if it is set to ignore public key decoding errors (which is usually
     not the case, except for debugging purposes).

  4. Due to an error in the SSL/TLS protocol handling, a server will
     parse a client certificate when one is not specifically requested.
     This means that all OpenSSL based SSL/TLS servers can be attacked
     using vulnerabilities 1, 2 and 3 even if they don't enable client
     authentication.

  The Common Vulnerabilities and Exposures (CVE) project assigned the
  ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the
  problems.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssl". If you have the "openssl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and it's dependent packages (see above), too. [5][6]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
  location, verify its integrity [11], build a corresponding binary
  RPM from it [5] and update your OpenPKG installation by applying the
  binary RPM [6]. For the current release OpenPKG 1.3, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.3/UPD
  ftp> get openssl-0.9.7b-1.3.2.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm
  $ <prefix>/bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm

  Additionally, we you have to rebuild and reinstall all dependent
  packages (see above), too. [5][6]
________________________________________________________________________

Appendix:
  Some packages are only affected if certain package options
  ("with_xxx") were used at build time. Please check whether you are
  affected by running "<prefix>/bin/rpm -qi <package>". The table below
  lists all those packages, their options and values that make up the
  difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2.
  Packages or options that were not available in a particular release
  are marked "=".

  package    option "with_"     CUR 1.3 1.2
  -----------------------------------------
  apache     mod_ssl            yes yes yes
   :         mod_php_pgsql      yes yes  =
   :         mod_php_openssl    yes yes yes
   :         mod_php_openldap   yes yes yes
   :         mod_php_imap       yes yes  =
   :         mod_php3_openssl   yes yes yes
   :         mod_auth_ldap      yes yes yes
  ethereal   openssl            yes yes yes
  mico       ssl                yes yes yes
  monit      ssl                yes  =   =
  php        openssl            yes yes  =
   :         imap               yes yes  =
  pine       ssl                yes  =   =
  postfix    tls                yes yes yes
   :         ldap               yes yes  =
  proftpd    pgsql              yes yes  =
   :         ldap               yes yes  =
  sendmail   tls                yes yes yes
   :         sasl               yes yes yes
   :         ldap               yes yes yes
  sio        bio                yes yes  =
  squid      ssl                yes yes  =
________________________________________________________________________

References:
  [0]  http://www.openssl.org/
  [1]  http://www.openssl.org/news/secadv_20030930.txt
  [2]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
  [3]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
  [4]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
  [5]  http://www.openpkg.org/tutorial.html#regular-source
  [6]  http://www.openpkg.org/tutorial.html#regular-binary
  [7]  ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm
  [8]  ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm
  [9]  ftp://ftp.openpkg.org/release/1.2/UPD/
  [10] ftp://ftp.openpkg.org/release/1.3/UPD/
  [11] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQE/eX0UgHWT4GPEy58RAplhAJ0c+GMqHgDjrgIYdcCkgKi/jzgWtgCeLc5T
B84GXRZS675YJYwrEc5Audk=
=+vWe
-----END PGP SIGNATURE-----