----------------------------------------------------------------------- Immunix Secured OS Security Advisory Packages updated: openssl Affected products: Immunix OS 7+ Bugs fixed: CAN-2003-0543 CAN-2003-0544 Date: Mon Sep 29 2003 Advisory ID: IMNX-2003-7+-022-01 Author: Seth Arnold <sarnold@xxxxxxxxxxx> ----------------------------------------------------------------------- Description: The UK National Infrastructure Security Co-ordination Centre (NISCC) has commissioned an audit of OpenSSL, similar to the audit performed on SNMP by Oulu Security Programming Group. Stephen Henson, of the OpenSSL core team, has analysed the results and produced a patch to address the problems found. NISCC's description of the problem: "An unusual ASN.1 tag value can cause an out of bounds read under certain circumstances resulting in a Denial of Service condition. [...] For example, if one of the parties involved in a TLS/SSL connection sends an ASN.1 element that cannot be handled properly, the behaviour of the receiving application may be unpredictable. It has been found that a vulnerability can arise where one of the parties generates an exceptional ASN.1 element as part of a client certificate. A Denial of Service may arise in the receiving application, or there may be an opportunity for further exploitation." Immunix, Inc., would like to thank Stephen Henson for the patches and NISCC for preparing the SSL test suite. References: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 Package names and locations: Precompiled binary packages for Immunix 7+ are available at: http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm A source package for Immunix 7+ is available at: http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm Immunix OS 7+ md5sums: f3184ccb1a3298a43b899b5b20ea55d1 RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm 8d092873585664a9d76083e47d9a695f RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm 1e01801d4b964beed7ddce666ef58a65 RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm d432232a745ee43a413122f988bc7fa6 SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm GPG verification: Our public keys are available at http://download.immunix.org/GPG_KEY Immunix, Inc., has changed policy with GPG keys. We maintain several keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for Immunix 7.3 package signing, and 1B7456DA for general security issues. NOTE: Ibiblio is graciously mirroring our updates, so if the links above are slow, please try: ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/ or one of the many mirrors available at: http://www.ibiblio.org/pub/Linux/MIRRORS.html ImmunixOS 6.2 is no longer officially supported. ImmunixOS 7.0 is no longer officially supported. Contact information: To report vulnerabilities, please contact security@xxxxxxxxxxxx Immunix attempts to conform to the RFP vulnerability disclosure protocol http://www.wiretrip.net/rfp/policy.html.
Attachment:
pgpcQX7lb1Ekl.pgp
Description: PGP signature