[OpenPKG-SA-2004.007] OpenPKG Security Advisory (openssl)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2004.007 18-Mar-2004
________________________________________________________________________
Package: openssl
Vulnerability: denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= openssl-0.9.7c-20040207 >= openssl-0.9.7d-20040318
OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1
OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3
Affected Releases: Dependent Packages: (*)
OpenPKG CURRENT apache blender cadaver cpu cups curl distcache
dsniff easysoap ethereal ettercap exim fetchmail
firefox gq imap imapd imaputils inn jabberd
kde-base kde-libs ldapdiff ldapvi libnetdude linc
links lynx lyx mailsync mico mixmaster monit
mozilla mutt mutt15 mysqlcc nagios nail neon
nessus-libs nessus-tool netdude nmap openldap
openssh openvpn orbit2 perl-ldap perl-net perl-ssl
perl-www pgadmin php php3 php5 pine postfix
postgresql pound proftpd qpopper qt samba samba3
sasl scribus sendmail siege sio sitecopy snort
socat squid stunnel subversion suck tcpdump
tinyproxy vorbis-tools w3m wget xine-ui
OpenPKG 2.0 apache cadaver cpu curl distcache ethereal
fetchmail imap imapd imaputils inn ldapdiff
ldapvi links lynx mailsync mico mozilla mutt
nail neon nessus-libs nessus-tool nmap openldap
openssh perl-ldap perl-net perl-ssl perl-www php
pine postfix postgresql proftpd qpopper qt samba
sasl sendmail siege sio sitecopy snort socat
squid stunnel subversion suck tcpdump tinyproxy
vorbis-tools w3m wget
OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd
inn links lynx mico mutt nail neon nmap openldap
openssh perl-ldap perl-net perl-ssl perl-www php
postfix postgresql proftpd qpopper samba sasl
sendmail siege sio sitecopy snort socat squid
stunnel suck tcpdump vorbis-tools w3m wget
(*) many packages are only affected if they (or their
underlying packages) used certain TLS/SSL related
options ("with_xxx") during build time. Above is
a worst case list. Packages known to only use
libcrypo without libssl are not affected and were
already omitted from the list.
Description:
According to an OpenSSL [0] security advisory [1], a denial of service
vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive
and versions 0.9.7a to 0.9.7c inclusive.
Testing performed by the OpenSSL group uncovered a null-pointer
assignment in the do_change_cipher_spec() function. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2004-0079 [2] to the problem.
Stephen Henson discovered a flaw in SSL/TLS handshaking code
when using Kerberos ciphersuites. The OpenPKG packages make no
use of this functionality but the patch was included anyway. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2004-0112 [3] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and it's dependent packages (see above), if any, too.
[4][5]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
location, verify its integrity [10], build a corresponding binary RPM
from it [4] and update your OpenPKG installation by applying the
binary RPM [5]. For the most recent release OpenPKG 2.0, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/2.0/UPD
ftp> get openssl-0.9.7c-2.0.1.src.rpm
ftp> bye
$ <prefix>/bin/openpkg rpm -v --checksig openssl-0.9.7c-2.0.1.src.rpm
$ <prefix>/bin/openpkg rpm --rebuild openssl-0.9.7c-2.0.1.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm
Additionally, we recommend that you rebuild and reinstall
all dependent packages (see above), if any, too. [4][5]
________________________________________________________________________
References:
[0] http://www.openssl.org/
[1] http://www.openssl.org/news/secadv_20040317.txt
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
[4] http://www.openpkg.org/tutorial.html#regular-source
[5] http://www.openpkg.org/tutorial.html#regular-binary
[6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
[7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
[8] ftp://ftp.openpkg.org/release/1.3/UPD/
[9] ftp://ftp.openpkg.org/release/2.0/UPD/
[10] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQFAWaI6gHWT4GPEy58RAno0AJ9tgZtLU1hS1tZ2rlgTfL/DLOuSlQCfZMyY
p260tn2cKSH49rGk8H4aft0=
=ur9l
-----END PGP SIGNATURE-----