<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2004.007] OpenPKG Security Advisory (openssl)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2004.007                                          18-Mar-2004
________________________________________________________________________

Package:             openssl
Vulnerability:       denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:          Corrected Packages:
OpenPKG CURRENT      <= openssl-0.9.7c-20040207  >= openssl-0.9.7d-20040318
OpenPKG 2.0          <= openssl-0.9.7c-2.0.0     >= openssl-0.9.7c-2.0.1
OpenPKG 1.3          <= openssl-0.9.7b-1.3.2     >= openssl-0.9.7b-1.3.3

Affected Releases:   Dependent Packages: (*)

OpenPKG CURRENT      apache blender cadaver cpu cups curl distcache
                     dsniff easysoap ethereal ettercap exim fetchmail
                     firefox gq imap imapd imaputils inn jabberd
                     kde-base kde-libs ldapdiff ldapvi libnetdude linc
                     links lynx lyx mailsync mico mixmaster monit
                     mozilla mutt mutt15 mysqlcc nagios nail neon
                     nessus-libs nessus-tool netdude nmap openldap
                     openssh openvpn orbit2 perl-ldap perl-net perl-ssl
                     perl-www pgadmin php php3 php5 pine postfix
                     postgresql pound proftpd qpopper qt samba samba3
                     sasl scribus sendmail siege sio sitecopy snort
                     socat squid stunnel subversion suck tcpdump
                     tinyproxy vorbis-tools w3m wget xine-ui

OpenPKG 2.0          apache cadaver cpu curl distcache ethereal
                     fetchmail imap imapd imaputils inn ldapdiff
                     ldapvi links lynx mailsync mico mozilla mutt
                     nail neon nessus-libs nessus-tool nmap openldap
                     openssh perl-ldap perl-net perl-ssl perl-www php
                     pine postfix postgresql proftpd qpopper qt samba
                     sasl sendmail siege sio sitecopy snort socat
                     squid stunnel subversion suck tcpdump tinyproxy
                     vorbis-tools w3m wget

OpenPKG 1.3          apache cpu curl ethereal fetchmail imap imapd
                     inn links lynx mico mutt nail neon nmap openldap
                     openssh perl-ldap perl-net perl-ssl perl-www php
                     postfix postgresql proftpd qpopper samba sasl
                     sendmail siege sio sitecopy snort socat squid
                     stunnel suck tcpdump vorbis-tools w3m wget

                 (*) many packages are only affected if they (or their
                     underlying packages) used certain TLS/SSL related
                     options ("with_xxx") during build time. Above is
                     a worst case list. Packages known to only use
                     libcrypo without libssl are not affected and were
                     already omitted from the list.

Description:
  According to an OpenSSL [0] security advisory [1], a denial of service
  vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive
  and versions 0.9.7a to 0.9.7c inclusive.

  Testing performed by the OpenSSL group uncovered a null-pointer
  assignment in the do_change_cipher_spec() function. The Common
  Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2004-0079 [2] to the problem.

  Stephen Henson discovered a flaw in SSL/TLS handshaking code
  when using Kerberos ciphersuites. The OpenPKG packages make no
  use of this functionality but the patch was included anyway. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2004-0112 [3] to the problem.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssl". If you have the "openssl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and it's dependent packages (see above), if any, too.
  [4][5]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
  location, verify its integrity [10], build a corresponding binary RPM
  from it [4] and update your OpenPKG installation by applying the
  binary RPM [5]. For the most recent release OpenPKG 2.0, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.0/UPD
  ftp> get openssl-0.9.7c-2.0.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig openssl-0.9.7c-2.0.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild openssl-0.9.7c-2.0.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too. [4][5]
________________________________________________________________________

References:
  [0] http://www.openssl.org/
  [1] http://www.openssl.org/news/secadv_20040317.txt
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
  [4] http://www.openpkg.org/tutorial.html#regular-source
  [5] http://www.openpkg.org/tutorial.html#regular-binary
  [6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
  [8] ftp://ftp.openpkg.org/release/1.3/UPD/
  [9] ftp://ftp.openpkg.org/release/2.0/UPD/
  [10] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFAWaI6gHWT4GPEy58RAno0AJ9tgZtLU1hS1tZ2rlgTfL/DLOuSlQCfZMyY
p260tn2cKSH49rGk8H4aft0=
=ur9l
-----END PGP SIGNATURE-----