[SECURITY] [DSA-136-2] Multiple OpenSSL problems (update)

From: Michael Stone (mstone@satie.debian.org)
Date: 09/16/02


From: Michael Stone <mstone@satie.debian.org>
Date: Mon, 16 Sep 2002 05:11:45 +0200
To: bugtraq@securityfocus.com


-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-136-2 security@debian.org
http://www.debian.org/security/ Michael Stone
September 15, 2002 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl094, openssl095, openssl
Problem type : multiple remote exploits
Debian-specific: no
CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659

Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It
includes ASN1 updates in the woody packages, plus the potato packages
which were not initially available.

The OpenSSL development team has announced that a security audit by A.L.
Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.

CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue.

These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.1, openssl095_0.9.5a-6.woody.1 and
openssl_0.9.6c-2.woody.1.

These vulnerabilities are also present in Debian 2.2 (potato). Fixed
packages are available in openssl094_0.9.4-6.potato.0 and
openssl_0.9.6c-0.potato.4.

Only i386 packages for openssl094 and openssl095 are available at this
time; other architectures will be made available as soon as possible.

A worm is actively exploiting this issue on internet-attached hosts;
we recommend you upgrade your OpenSSL as soon as possible. Note that you
must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.)
If you are uncertain which programs are using SSL you may choose to
reboot to ensure that all running daemons are using the new libraries.

- ------------------------------------------------------------------------

Obtaining updates:

  By hand:
    wget URL
        will fetch the file for you.
    dpkg -i FILENAME.deb
        will install the fetched file.

  With apt:
    deb http://security.debian.org/ stable/updates main
        added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at http://www.debian.org/security/

- ------------------------------------------------------------------------

Debian 2.2 (potato)
- ----------------------

  Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
      Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.dsc
      Size/MD5 checksum: 741 9c7e0cf669a32763f4bf9669156a2235
    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.0.dsc
      Size/MD5 checksum: 702 463aa33d08d188542208e82734269eab
    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.0.diff.gz
      Size/MD5 checksum: 44354 d06b01d6f91e901d3e2686df4b9b6bc6
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
      Size/MD5 checksum: 42566 ea23bd132febccb20178a33080a75b2e

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum: 746626 c7e28cd9327bf7c57de8460873acc7ca
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum: 591014 6e50b6aab7330ab8bf05835476e355cf
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum: 1550550 519f58912d6fe231127dc3269235494b

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum: 469664 291969d97b32582ad427f2464a5f9f50
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum: 1349424 61b9f52a86711594c7f9e7135e2ad447
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum: 729988 e7751f662ef2a13bc304025995fd1bfa

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum: 1288134 430658383c6c37cfafbddd16a492f407
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum: 463668 37e1e010c4eab318a48b8f1de3c73910
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum: 724530 82241d5d38dc62b0e4d53f41303e8829
    http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.potato.0_i386.deb
      Size/MD5 checksum: 1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum: 721394 176c598a45a1ba9bbc459bd8d2b014d2
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum: 1263214 cf1a25df58c5b14101fc56896ed9d51c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum: 451000 627bd347ab6ca780e6dea2b34f2e3e3d

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum: 726946 26d2b2b6314750c7f78efd7617ad4f91
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum: 1385054 1d02c03f2edc5de1fbcd7e1563227723
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum: 503900 cebc7e59bb5e812491b4542e803d4642

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum: 1342800 18dcc49e3ab9b43c54ff4bf07a73057b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum: 483834 3811f4b7b3fd20c9cd8f3896106aeede
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum: 738500 b9eeca8cca46d187f0bb8791af95ad7b

Debian 3.0 (woody)
- -------------------

  woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.1.dsc
      Size/MD5 checksum: 731 6ee81367f6726dd6e793e0a28f2dab2f
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
      Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4
    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
      Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.dsc
      Size/MD5 checksum: 738 8db01015b7c3c6b1fab8a509a8d32362
    http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.diff.gz
      Size/MD5 checksum: 38440 812dd2074b1eb8f2764621d12db77140
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.dsc
      Size/MD5 checksum: 739 753ca9446c2f3bc658df80a8668d69a5
    http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.1.diff.gz
      Size/MD5 checksum: 44476 fad8a823c2455b4089bf9fdececf1c19
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
      Size/MD5 checksum: 42477 92e89d405fb0291efa45d3f260fbd1b4

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum: 735734 e8ddba4a00d37834de2301a36daf8893
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum: 570688 104d1b40056d53f6b3164cff39a637c5
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum: 1550806 e137ab248541f6fdfa311744925197b7

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum: 564336 c33d5269f29184ddd5f5f37435db3b20
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum: 1434386 22c4cb54eb0345d5232e00315b1d707b
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum: 741436 51ae4ce9e126f4f1e16388a9e03bd929

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum: 1290394 2ef22ed5e2f75a5afd57bc7f5579b668
    http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
      Size/MD5 checksum: 400108 495f381e41694087d0e02536044b4d1e
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum: 461228 4c36f0b42fb7b0fc3a576477f4812378
    http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.1_i386.deb
      Size/MD5 checksum: 357956 6cc8232971ff8c4e027cbd3b5552af8d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum: 722756 4f962685c00e0f360008909c34253f32

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum: 763312 f68f750b3211243654eec890b01c8e7a
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum: 1615968 e0a890a89e6d44d8a3be8594ea507202
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum: 710314 47bf40e6683690237b9b307232f9b0dd

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum: 719876 7b86c3e93997f78a058c8d51148e5542
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum: 1266008 db905314e8947748d60454b7b7fdc565
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum: 450170 4dec6cc106d48a1011ba7bec1b2ec61a

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum: 717336 9aa8a5ff7c3cb422f40f8797e0b97b7f
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum: 483018 61b96d689c3794af43a881c1d064fd8f
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum: 1415606 321c34c11f7b52d630548a81a84c1f1f

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum: 476042 abcbbf8c13cde643076407d539cd483e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum: 716572 8925b769c4ef248a6aa5dc71173115fd
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum: 1409496 230cf7fd06f5fe8afaef1bd291777cc6

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum: 726188 8835e23596eee551da6f1b0c9036e339
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum: 1386308 16b4a447219eb1c284fb8e4f2eef757b
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum: 501886 e343898ad82ab2e88f35903274525152

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum: 484190 242d5e36cbf18033d04a26cfd3cdc861
    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum: 1343610 a578dbc5193884a284e9bf930607036f
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum: 736668 1bcdd2bbce3bff5115c4f3b9774aea30

- ------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBPYVLOQ0hVr09l8FJAQFWigP6AsnVnYIIPAATxcvqJXtJZNEDtpf1zbGa
BBQxnzXLv0gI7UrehF41qFpMXkb948dc4mYWoMSFZE3pxCsSxCmRbn2sNoumnEzm
oS5adDQpwOZuNxIUgqVzHGl9LEopkxsUmCkw3GUWrLxAVWsgQTHcB3BBD3WjlewU
M0zBYkIAmcQ=
=blV8
-----END PGP SIGNATURE-----



Relevant Pages