Subject: [OpenPKG-SA-2003.044] OpenPKG Security Advisory (openssl)

From: OpenPKG (openpkg_at_openpkg.org)
Date: 09/30/03

  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:291-01] Updated OpenSSL packages fix vulnerabilities"
    Date: Tue, 30 Sep 2003 14:59:05 +0200
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

    OpenPKG Security Advisory The OpenPKG Project
    http://www.openpkg.org/security.html http://www.openpkg.org
    openpkg-security@openpkg.org openpkg@openpkg.org
    OpenPKG-SA-2003.044 30-Sep-2003
    ________________________________________________________________________

    Package: openssl
    Vulnerability: denial of service, possibly arbitrary code execution
    OpenPKG Specific: no

    Affected Releases: Affected Packages: Corrected Packages:
    OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
    OpenPKG 1.3 <= openssl-0.9.7b-1.3.1 >= openssl-0.9.7b-1.3.2
    OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4

    Affected Releases: Dependent Packages:

    OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl
                         distcache dsniff easysoap ethereal* exim fetchmail
                         imap imapd imaputils inn jabberd kde-base kde-libs
                         linc links lynx mailsync meta-core mico* mixmaster
                         monit* mozilla mutt mutt15 nail neon nessus-libs
                         nmap openldap openssh openvpn perl-ssl pgadmin php*
                         pine* postfix* postgresql pound proftpd* qpopper
                         rdesktop samba samba3 sasl scanssh sendmail* siege
                         sio* sitecopy snmp socat squid* stunnel subversion
                         suck sysmon tcpdump tinyca w3m wget xmlsec

    OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
                         imap imapd inn links lynx mico* mutt nail neon
                         openldap openssh perl-ssl php* postfix* postgresql
                         proftpd* qpopper rdesktop samba sasl scanssh
                         sendmail* siege sio* sitecopy snmp socat squid*
                         stunnel suck sysmon tcpdump tinyca w3m wget xmlsec

    OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn
                         links lynx mico* mutt nail neon openldap openssh
                         perl-ssl postfix* postgresql qpopper rdesktop samba
                         sasl scanssh sendmail* siege sitecopy snmp socat
                         stunnel sysmon tcpdump tinyca w3m wget

                     (*) marked packages are only affected if certain build
                         options ("with_xxx") were used at build time. See
                         Appendix below for details.

    Description:
      According to an OpenSSL [0] security advisory [1], multiple
      vulnerabilities exist in OpenSSL versions up to and including 0.9.6j
      and 0.9.7b:

      1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1
         parser can trigger a bug in the deallocation of the corresponding
         data structure, corrupting the stack.

      2. Unusual ASN.1 tag values can cause an out of bounds read under
         certain circumstances.

      3. A malformed public key in a certificate will crash the verify code
         if it is set to ignore public key decoding errors (which is usually
         not the case, except for debugging purposes).

      4. Due to an error in the SSL/TLS protocol handling, a server will
         parse a client certificate when one is not specifically requested.
         This means that all OpenSSL based SSL/TLS servers can be attacked
         using vulnerabilities 1, 2 and 3 even if they don't enable client
         authentication.

      The Common Vulnerabilities and Exposures (CVE) project assigned the
      ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the
      problems.

      Please check whether you are affected by running "<prefix>/bin/rpm -q
      openssl". If you have the "openssl" package installed and its version
      is affected (see above), we recommend that you immediately upgrade it
      (see Solution) and it's dependent packages (see above), too. [5][6]

    Solution:
      Select the updated source RPM appropriate for your OpenPKG release
      [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
      location, verify its integrity [11], build a corresponding binary
      RPM from it [5] and update your OpenPKG installation by applying the
      binary RPM [6]. For the current release OpenPKG 1.3, perform the
      following operations to permanently fix the security problem (for
      other releases adjust accordingly).

      $ ftp ftp.openpkg.org
      ftp> bin
      ftp> cd release/1.3/UPD
      ftp> get openssl-0.9.7b-1.3.2.src.rpm
      ftp> bye
      $ <prefix>/bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm
      $ <prefix>/bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm
      $ su -
      # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm

      Additionally, we you have to rebuild and reinstall all dependent
      packages (see above), too. [5][6]
    ________________________________________________________________________

    Appendix:
      Some packages are only affected if certain package options
      ("with_xxx") were used at build time. Please check whether you are
      affected by running "<prefix>/bin/rpm -qi <package>". The table below
      lists all those packages, their options and values that make up the
      difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2.
      Packages or options that were not available in a particular release
      are marked "=".

      package option "with_" CUR 1.3 1.2
      -----------------------------------------
      apache mod_ssl yes yes yes
       : mod_php_pgsql yes yes =
       : mod_php_openssl yes yes yes
       : mod_php_openldap yes yes yes
       : mod_php_imap yes yes =
       : mod_php3_openssl yes yes yes
       : mod_auth_ldap yes yes yes
      ethereal openssl yes yes yes
      mico ssl yes yes yes
      monit ssl yes = =
      php openssl yes yes =
       : imap yes yes =
      pine ssl yes = =
      postfix tls yes yes yes
       : ldap yes yes =
      proftpd pgsql yes yes =
       : ldap yes yes =
      sendmail tls yes yes yes
       : sasl yes yes yes
       : ldap yes yes yes
      sio bio yes yes =
      squid ssl yes yes =
    ________________________________________________________________________

    References:
      [0] http://www.openssl.org/
      [1] http://www.openssl.org/news/secadv_20030930.txt
      [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
      [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
      [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
      [5] http://www.openpkg.org/tutorial.html#regular-source
      [6] http://www.openpkg.org/tutorial.html#regular-binary
      [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm
      [8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm
      [9] ftp://ftp.openpkg.org/release/1.2/UPD/
      [10] ftp://ftp.openpkg.org/release/1.3/UPD/
      [11] http://www.openpkg.org/security.html#signature
    ________________________________________________________________________

    For security reasons, this advisory was digitally signed with the
    OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
    OpenPKG project which you can retrieve from http://pgp.openpkg.org and
    hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
    for details on how to verify the integrity of this advisory.
    ________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Comment: OpenPKG <openpkg@openpkg.org>

    iD8DBQE/eX0UgHWT4GPEy58RAplhAJ0c+GMqHgDjrgIYdcCkgKi/jzgWtgCeLc5T
    B84GXRZS675YJYwrEc5Audk=
    =+vWe
    -----END PGP SIGNATURE-----


  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:291-01] Updated OpenSSL packages fix vulnerabilities"

    Relevant Pages