From openpkg@openpkg.org Thu Mar 18 15:41:21 2004 From: OpenPKG To: bugtraq@securityfocus.com Date: Thu, 18 Mar 2004 14:21:16 +0100 Subject: [OpenPKG-SA-2004.007] OpenPKG Security Advisory (openssl) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2004.007 18-Mar-2004 ________________________________________________________________________ Package: openssl Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7c-20040207 >= openssl-0.9.7d-20040318 OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1 OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3 Affected Releases: Dependent Packages: (*) OpenPKG CURRENT apache blender cadaver cpu cups curl distcache dsniff easysoap ethereal ettercap exim fetchmail firefox gq imap imapd imaputils inn jabberd kde-base kde-libs ldapdiff ldapvi libnetdude linc links lynx lyx mailsync mico mixmaster monit mozilla mutt mutt15 mysqlcc nagios nail neon nessus-libs nessus-tool netdude nmap openldap openssh openvpn orbit2 perl-ldap perl-net perl-ssl perl-www pgadmin php php3 php5 pine postfix postgresql pound proftpd qpopper qt samba samba3 sasl scribus sendmail siege sio sitecopy snort socat squid stunnel subversion suck tcpdump tinyproxy vorbis-tools w3m wget xine-ui OpenPKG 2.0 apache cadaver cpu curl distcache ethereal fetchmail imap imapd imaputils inn ldapdiff ldapvi links lynx mailsync mico mozilla mutt nail neon nessus-libs nessus-tool nmap openldap openssh perl-ldap perl-net perl-ssl perl-www php pine postfix postgresql proftpd qpopper qt samba sasl sendmail siege sio sitecopy snort socat squid stunnel subversion suck tcpdump tinyproxy vorbis-tools w3m wget OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd inn links lynx mico mutt nail neon nmap openldap openssh perl-ldap perl-net perl-ssl perl-www php postfix postgresql proftpd qpopper samba sasl sendmail siege sio sitecopy snort socat squid stunnel suck tcpdump vorbis-tools w3m wget (*) many packages are only affected if they (or their underlying packages) used certain TLS/SSL related options ("with_xxx") during build time. Above is a worst case list. Packages known to only use libcrypo without libssl are not affected and were already omitted from the list. Description: According to an OpenSSL [0] security advisory [1], a denial of service vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive and versions 0.9.7a to 0.9.7c inclusive. Testing performed by the OpenSSL group uncovered a null-pointer assignment in the do_change_cipher_spec() function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0079 [2] to the problem. Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. The OpenPKG packages make no use of this functionality but the patch was included anyway. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0112 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), if any, too. [4][5] Solution: Select the updated source RPM appropriate for your OpenPKG release [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror location, verify its integrity [10], build a corresponding binary RPM from it [4] and update your OpenPKG installation by applying the binary RPM [5]. For the most recent release OpenPKG 2.0, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.0/UPD ftp> get openssl-0.9.7c-2.0.1.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig openssl-0.9.7c-2.0.1.src.rpm $ /bin/openpkg rpm --rebuild openssl-0.9.7c-2.0.1.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too. [4][5] ________________________________________________________________________ References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20040317.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 [4] http://www.openpkg.org/tutorial.html#regular-source [5] http://www.openpkg.org/tutorial.html#regular-binary [6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm [7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/ [9] ftp://ftp.openpkg.org/release/2.0/UPD/ [10] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFAWaI6gHWT4GPEy58RAno0AJ9tgZtLU1hS1tZ2rlgTfL/DLOuSlQCfZMyY p260tn2cKSH49rGk8H4aft0= =ur9l -----END PGP SIGNATURE-----