From openpkg@openpkg.org Tue Jul 30 14:12:43 2002 From: OpenPKG To: bugtraq@securityfocus.com Date: Tue, 30 Jul 2002 15:06:36 +0200 Subject: [OpenPKG-SA-2002.008] OpenPKG Security Advisory (openssl) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.008 30-Jul-2002 ________________________________________________________________________ Package: openssl Vulnerability: denial of service / remote root exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG CURRENT Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e Dependent Packages: apache apache curl bind fetchmail cadaver imapd cpu inn curl links dsniff lynx exim mutt fetchmail openldap imapd openssh inn perl-ssl links postfix lynx postgresql mutt qpopper neon samba openldap sasl openssh scanssh openvpn sendmail perl-ssl siege postfix sitecopy postgresql snmp qpopper stunnel rdesktop tcpdump samba w3m sasl scanssh sendmail siege sitecopy snmp stunnel sysmon tcpdump w3m Description: According to an official security advisory from the OpenSSL team, there are four remotely exploitable buffer overflows that affect various OpenSSL client and server implementations [5]. There are also parsing problems in the ASN.1 library used by OpenSSL. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and CAN-2002-0659 [9] to the problems. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create a denial of service. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, you have to rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get openssl-0.9.6b-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm $ /bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm Now proceed and rebuild and reinstall all dependent OpenPKG packages, too (see list above). ________________________________________________________________________ References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm [5] http://www.openssl.org/news/secadv_20020730.txt [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 [9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH 4xsAoKTteo/qotFgoki3JYpuGufyp4vL =k9ol -----END PGP SIGNATURE-----