Date: Wed, 21 Apr 2004 14:14:03 -0400
From: NetBSD Security-Officer <security-officer@netbsd.org.>
To: [email protected]Subject: NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2004-005
Topic: Denial of service vulnerabilities in OpenSSL
Version: NetBSD-current: source prior to March 22, 2004
NetBSD 2.0: branch unaffected, release will include the fix
NetBSD 1.6.2: affected
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD 1.5.3: affected
NetBSD 1.5.2: affected
NetBSD 1.5.1: affected
NetBSD 1.5: affected
pkgsrc: security/openssl packages prior to 0.9.6m
Severity: Possible denial of service, depending on the application
Fixed: NetBSD-current: March 22, 2004
NetBSD-1.6 branch: April 2, 2004
(1.6.3 will include the fix)
NetBSD-1.5 branch: April 7, 2004
pkgsrc: openssl-0.9.6m corrects this issue
Abstract
========
There are two distinct denial of service vulnerabilities addressed by this
advisory:
1. Null-pointer assignment during SSL handshake
A carefully crafted SSL/TLS handshake against a server which
uses the OpenSSL library may result in a crash. Depending on how
the application uses the OpenSSL library, this may result in a
denial of service.
2. Out-of-bounds read affects Kerberos ciphersuites
A second flaw in the SSL/TLS handshake could cause a server
configured to use the Kerberos ciphersuites to crash if a carefully
crafted sequence of packets is sent by an attacker.
Solutions and Workarounds
The following instructions describe how to upgrade your libcrypto and libssl
libraries by updating your source tree and rebuilding and
installing a new versions.
* NetBSD-current:
Systems running NetBSD-current dated from before 2004-03-22
should be upgraded to NetBSD-current dated 2004-03-23 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/dist/openssl
To update from CVS, re-build, and re-install libcrypto and libssl
# cd src
# cvs update -d -P crypto/dist/openssl
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.6, 1.6.1, 1.6.2:
The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2004-04-02 should be upgraded from NetBSD 1.6 sources dated
2004-04-03 or later.
NetBSD 1.6.3 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/openssl
To update from CVS, re-build, and re-install libcrypto and libssl
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.
Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2004-04-07 should be upgraded from NetBSD 1.5.*
sources dated 2004-04-08 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/openssl
To update from CVS, re-build, and re-install libcrypto and libssl
# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
Revision History
================
2004-04-21 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2004-005.txt,v 1.3 2004/04/21 17:34:50 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
iQCVAwUBQIax0z5Ru2/4N2IFAQHjFwP7B6JP4OrQsPrCgSYkUxpuw4oQ0n9kOB7J
rEM+aA9/9nrtbc95vuFhjaiahUop91I9oPxNkKjoflaqNyrtGM18U+um5iCv/cJV
0aBih+cyv7hWylcxrTwZ35QuxpFOz253mpCPpKDk4YC8zDjvQDDOoCIz+854WdDe
5MM5tkgTqPU=
=gjxz
-----END PGP SIGNATURE-----
