Date: Tue, 30 Jul 2002 17:09:46 +0200
From: Daniel Ahlberg <[email protected]>
To: [email protected]Subject: GLSA: OpenSSL
Cc: [email protected]
- --------------------------------------------------------------------=20
GENTOO LINUX SECURITY ANNOUNCEMENT=20
- --------------------------------------------------------------------
PACKAGE :openssl
SUMMARY :denial of service / remote root exploit
DATE :2002-07-30 16:15:00
- --------------------------------------------------------------------
OVERVIEW
=20
Multiple potentially remotely exploitable vulnerabilities has been found =
in=20
OpenSSL.=20
DETAIL
1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (http://www.neohapsis.com/) who have also
demonstrated that the vulerability is exploitable. Exploit code is
NOT available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and
overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and
overrun a stack-based buffer. This issues only affects OpenSSL
0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too
small on 64 bit platforms.
The full advisory can be read at=20
http://www.openssl.org/news/secadv_20020730.txt
SOLUTION
It is recommended that all Gentoo Linux users update their systems as
follows.
emerge --clean rsync
emerge openssl
emerge clean
After the installation of the updated OpenSSL you should restart the serv=
ices=20
that uses OpenSSL, which include such common services as OpenSSH, SSL-Ena=
bled=20
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
Also, if you have an application that is statically linked to openssl you=
will=20
need to reemerge that application to build it against the new OpenSSL.
=20
- --------------------------------------------------------------------
Daniel Ahlberg
[email protected]
- --------------------------------------------------------------------
