[CLA-2004:834] Conectiva Security Announcement - openssl
Date: Wed, 31 Mar 2004 16:50:45 -0300
From: Conectiva Updates <[email protected]>
To: [email protected], [email protected],
Subject: [CLA-2004:834] Conectiva Security Announcement - openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : openssl
SUMMARY : Remote denial of service vulnerabilities
DATE : 2004-03-31 16:49:00
ID : CLA-2004:834
RELEVANT
RELEASES : 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols as well as full-strength
general purpose cryptography functions. It's used (as a library) by
several projects, like Apache, OpenSSH, Bind, OpenLDAP and many
others clients and servers programs.
This update fixes three denial of service vulnerabilities that affect
OpenSSL versions distributed with Conectiva Linux:
CAN-2004-0079: Null-pointer assignment during SSL handshake[3]. A
remote attacker can exploit this vulnerability by performing a
specially crafted SSL handshake that will crash the application. This
vulnerability was discovered by the OpenSSL team using the
Codenomicon TLS Test Tool and affects OpenSSL versions distributed
with Conectiva Linux 8 (0.9.6c) and 9 (0.9.7a).
CAN-2004-0081: Infinite loop when handling unknown TLS message
types[4]. A remote attacker can exploit this vulnerability by sending
specially crafted TLS messages, causing the application to enter an
infinite loop. Conectiva Linux 9 (OpenSSL-0.9.7a) is not vulnerable
to this issue.
CAN-2004-0112: Out-of-bounds read with Kerberos ciphersuites[5].
Stephen Henson discovered a vulnerability in the SSL/TLS handshaking
code when using Kerberos ciphersuites. A remote attacker can exploit
it to crash an application which uses Kerberos ciphersuites. The
OpenSSL version distributed with Conectiva Linux 8 (OpenSSL-0.9.6c)
is not vulnerable to this issue and there are no known applications
using Kerberos ciphersuites in Conectiva Linux 9.
SOLUTION
All openssl users should upgrade.
Please notice that in order to complete the upgrade process, you must
restart all running aplications that are linked to openssl libraries
after the new packages are installed. You can see a list of such
applications using the lsof utility, as seen below:
# lsof | egrep '(libcrypto|libssl)'
Services (like apache and openssh daemons) can be restarted using the
"service" command. For example:
# service httpd restart
# service sshd restart
REFERENCES
1.http://www.openssl.org/
2.http://www.openssl.org/news/secadv_20040317.txt
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0079
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0081
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0112
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-0.9.6c-2U80_8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-static-0.9.6c-2U80_8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-doc-0.9.6c-2U80_8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-progs-0.9.6c-2U80_8cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_8cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl0.9.7-0.9.7a-28910U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-0.9.7a-28910U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-static-0.9.7a-28910U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-doc-0.9.7a-28910U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-progs-0.9.7a-28910U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssl0.9.7-0.9.7a-28910U90_2cl.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions regarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAayEU42jd0JmAcZARAs6OAJ4vuumdJWJFypgaplbaXWSyiXVKMQCg44Bz
DT+Jr6ga5BKDkX2dxB6kc0I=
=ZzSr
-----END PGP SIGNATURE-----
