Date: Wed, 31 Jul 2002 11:16:16 -0700
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl
--XF85m9dhOBO43t/C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: [email protected][email protected][email protected][email protected]
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: multiple vulnerabilities in openssl
Advisory number: CSSA-2002-033.0
Issue date: 2002 July 31
Cross reference:
______________________________________________________________________________
1. Problem Description
There are four remotely exploitable buffer overflows that affect
various OpenSSL client and server implementations. There are also
encoding problems in the ASN.1 library used by OpenSSL. Several
of these vulnerabilities could be used by a remote attacker to
execute arbitrary code on the target system. All could be used
to create denial of service.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to openssl-0.9.6-18.i386.rpm
prior to openssl-devel-0.9.6-18.i386.rpm
prior to openssl-devel-static-0.9.6-18.i386.rpm
OpenLinux 3.1.1 Workstation prior to openssl-0.9.6-18.i386.rpm
prior to openssl-devel-0.9.6-18.i386.rpm
prior to openssl-devel-static-0.9.6-18.i386.rpm
OpenLinux 3.1 Server prior to openssl-0.9.6-18.i386.rpm
prior to openssl-devel-0.9.6-18.i386.rpm
prior to openssl-devel-static-0.9.6-18.i386.rpm
OpenLinux 3.1 Workstation prior to openssl-0.9.6-18.i386.rpm
prior to openssl-devel-0.9.6-18.i386.rpm
prior to openssl-devel-static-0.9.6-18.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/RPMS
4.2 Packages
49b6589ee4e3fa4780a279e5dc46604d openssl-0.9.6-18.i386.rpm
608246e3b6de6e1f08946915307813a1 openssl-devel-0.9.6-18.i386.rpm
55c039bf7e2f23805fe4060d72d94974 openssl-devel-static-0.9.6-18.i386.rpm
4.3 Installation
rpm -Fvh openssl-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm
4.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/SRPMS
4.5 Source Packages
99196cf80db29415ca44ef78733701ca openssl-0.9.6-18.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/RPMS
5.2 Packages
6c83bdbaa0866d48413a6986d44add2b openssl-0.9.6-18.i386.rpm
c17adb44ffd8f0f5e8b812904cf58227 openssl-devel-0.9.6-18.i386.rpm
0f9741b9b1348e4100bbc4c2165983b4 openssl-devel-static-0.9.6-18.i386.rpm
5.3 Installation
rpm -Fvh openssl-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm
5.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/SRPMS
5.5 Source Packages
7f819da5b612bd24e1f08b3e6ce96c7c openssl-0.9.6-18.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/RPMS
6.2 Packages
db2c63ecd72f9c919d75b80f7bf21416 openssl-0.9.6-18.i386.rpm
dfacf5e8c7588d19bda6aacbee04455c openssl-devel-0.9.6-18.i386.rpm
5caa2e9083c7bd82cf11abb747f92e24 openssl-devel-static-0.9.6-18.i386.rpm
6.3 Installation
rpm -Fvh openssl-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm
6.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/SRPMS
6.5 Source Packages
209ee703939cf4de47cc2e403e7a7a5f openssl-0.9.6-18.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/RPMS
7.2 Packages
4a71d2544d0b06600abc27bddc4d20f5 openssl-0.9.6-18.i386.rpm
6a0caf0bfef379791b83aaca484d212d openssl-devel-0.9.6-18.i386.rpm
294d134720153d5f4b284653d42cfdb1 openssl-devel-static-0.9.6-18.i386.rpm
7.3 Installation
rpm -Fvh openssl-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm
7.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/SRPMS
7.5 Source Packages
480806a05bc92716fd17001873c40c9a openssl-0.9.6-18.src.rpm
8. References
Specific references for this advisory:
http://www.openssl.org/news/secadv_20020730.txthttp://www.cert.org/advisories/CA-2002-23.html
Caldera security resources:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera incidents sr867369, fz525695,
erg501640.
9. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
10. Acknowledgements
These vulnerabilities were discovered and reported by the
following: A.L. Digital Ltd, John McDonald of Neohapsis, Adi
Stav, James Yonan.
______________________________________________________________________________
--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj1IKW8ACgkQbluZssSXDTHqdQCeJbfZK97+WxykZ58zNC3nq4ac
3t4AoNlYycrtGTTPO/tlaPOV8MKNXupe
=m6En
-----END PGP SIGNATURE-----
--XF85m9dhOBO43t/C--