Date: Sat, 8 May 2004 09:39:40 -0700
From: Jesse Keating <[email protected]>
To: [email protected]Subject: [FLSA-2004:1395] Updated OpenSSL resolves security vulnerability
Cc: [email protected]
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=2D -----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated OpenSSL resolves security vulnerability
Advisory ID: FLSA:1395
Issue date: 2004-05-08
Product: Red Hat Linux
Ключевые слова:, , , , , , , , , Security, (найти похожие документы)
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D1395
CVE Names: CAN-2003-0851 CAN-2004-0081
=2D -----------------------------------------------------------------------
=2D ---------------------------------------------------------------------
1. Topic:
Updated OpenSSL packages that fix remote denial of service vulnerabilities=
=20
are now available.
2. Relevent releases/architectures:
Red Hat Linux 7.2 - i386 i686
Red Hat Linux 7.3 - i386 i686
Red Hat Linux 8.0 - i386 i686
3. Problem description:
OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and=20
Transport Layer Security (TLS v1) protocols as well as a full-strength=20
general purpose cryptography library.
Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool=
=20
uncovered a bug in older versions of OpenSSL 0.9.6 prior to 0.9.6d that=20
can lead to a denial of service attack (infinite loop). The Common=20
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the=20
name CAN-2004-0081 to this issue.
Testing performed by Novell using a test suite provided by NISCC uncovered=
=20
an issue in the ASN.1 parser in versions of OpenSSL 0.9.6 prior to 0.9.6l=20
which could cause large recursion and possibly lead to a denial of service=
=20
attack if used where stack space is limited. The Common Vulnerabilities=20
and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0851=20
to this issue.
These updated packages contain patches provided by the OpenSSL group that=20
protect against these issues.
NOTE: Because server applications are affected by this issue, users are=20
advised to either restart all services using OpenSSL functionality or=20
restart their system after installing these updated packages.
=46edora Legacy would like to thank Michal Jaegermann for bringing this iss=
ue=20
to our attention.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those=20
RPMs which are currently installed will be updated. Those RPMs which are=20
not installed but included in the list will not be updated. Note that you=
=20
can also use wildcards (*.rpm) if your current directory *only* contains=20
the desired RPMs.
Please note that this update is also available via yum and apt. Many=20
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate=
=20
RPMs being upgraded on your system. This assumes that you have yum or=20
apt-get configured for obtaining Fedora Legacy content. Please visit=20
http://www.fedoralegacy.org/docs for directions on how to configure yum=20
and apt-get.
5. Bug IDs fixed:
http://bugzilla.fedora.us - 1395 - openssl vulnerabilties to remote DoS=20
attack
6. RPMs required:
Red Hat Linux 7.2:
SRPM:
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/openssl095a-0.9.5=
a-24.7.3.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/openssl-0.9.6b-36=
=2E7.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/SRPMS/openssl096-0.9.6-=
25.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl-0.9.6b-36.=
7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl-devel-0.9.=
6b-36.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl-perl-0.9.6=
b-36.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl095a-0.9.5a=
=2D24.7.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl096-0.9.6-2=
5.7.legacy.i386.rpm
i686:
http://download.fedoralegacy.org/redhat/7.2/updates/i386/openssl-0.9.6b-36.=
7.legacy.i686.rpm
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl095a-0.9.5=
a-24.7.3.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl-0.9.6b-36=
=2E7.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl096-0.9.6-=
25.7.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-36.=
7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-devel-0.9.=
6b-36.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-perl-0.9.6=
b-36.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl095a-0.9.5a=
=2D24.7.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl096-0.9.6-2=
5.7.legacy.i386.rpm
i686:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-36.=
7.legacy.i686.rpm
Red Hat Linux 8.0:
SRPM:
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/openssl095a-0.9.5=
a-24.8.legacy.src.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/openssl-0.9.6b-36=
=2E8.legacy.src.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/SRPMS/openssl096-0.9.6-=
24.8.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl-devel-0.9.=
6b-36.8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl-0.9.6b-36.=
8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl-perl-0.9.6=
b-36.8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl095a-0.9.5a=
=2D24.8.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl096-0.9.6-2=
4.8.legacy.i386.rpm
i686:
http://download.fedoralegacy.org/redhat/8.0/updates/i386/openssl-0.9.6b-36.=
8.legacy.i686.rpm
7. Verification:
SHA1 sum Package Name
=2D -----------------------------------------------------------------------=
=2D---
6125c0171b9bd2c49e2f206fa616c70310262085 =20
7.2/updates/SRPMS/openssl095a-0.9.5a-24.7.3.legacy.src.rpm
296a86b860209645a73cdd081b03f3fb1d6e437d =20
7.2/updates/SRPMS/openssl096-0.9.6-25.7.legacy.src.rpm
2647596bc3e8d0090af0ea0e9841ba665872a729 =20
7.2/updates/SRPMS/openssl-0.9.6b-36.7.legacy.src.rpm
fff610245bcd73fce6b78c0e7f4155cf0c627762 =20
7.2/updates/i386/openssl095a-0.9.5a-24.7.3.legacy.i386.rpm
f678d1b885a8236301afb4f92da2d451599643ce =20
7.2/updates/i386/openssl096-0.9.6-25.7.legacy.i386.rpm
014a4d8fec25dde48ee8f8c14cc5250afc687542 =20
7.2/updates/i386/openssl-0.9.6b-36.7.legacy.i386.rpm
c4403aff66cc3891418f2f4a5fc9632ed87c6f79 =20
7.2/updates/i386/openssl-0.9.6b-36.7.legacy.i686.rpm
8b3fca54a08ae67a3ee5c5b6dfc0a166a31d9a1c =20
7.2/updates/i386/openssl-devel-0.9.6b-36.7.legacy.i386.rpm
bfb7a080b0afe36bba4de6431d68110cd30636aa =20
7.2/updates/i386/openssl-perl-0.9.6b-36.7.legacy.i386.rpm
=20
6125c0171b9bd2c49e2f206fa616c70310262085 =20
7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.3.legacy.src.rpm
296a86b860209645a73cdd081b03f3fb1d6e437d =20
7.3/updates/SRPMS/openssl096-0.9.6-25.7.legacy.src.rpm
2647596bc3e8d0090af0ea0e9841ba665872a729 =20
7.3/updates/SRPMS/openssl-0.9.6b-36.7.legacy.src.rpm
fff610245bcd73fce6b78c0e7f4155cf0c627762 =20
7.3/updates/i386/openssl095a-0.9.5a-24.7.3.legacy.i386.rpm
f678d1b885a8236301afb4f92da2d451599643ce =20
7.3/updates/i386/openssl096-0.9.6-25.7.legacy.i386.rpm
014a4d8fec25dde48ee8f8c14cc5250afc687542 =20
7.3/updates/i386/openssl-0.9.6b-36.7.legacy.i386.rpm
c4403aff66cc3891418f2f4a5fc9632ed87c6f79 =20
7.3/updates/i386/openssl-0.9.6b-36.7.legacy.i686.rpm
8b3fca54a08ae67a3ee5c5b6dfc0a166a31d9a1c =20
7.3/updates/i386/openssl-devel-0.9.6b-36.7.legacy.i386.rpm
bfb7a080b0afe36bba4de6431d68110cd30636aa =20
7.3/updates/i386/openssl-perl-0.9.6b-36.7.legacy.i386.rpm
=20
6b789ea67363c4a7f23cc1e1363c32509605d5b4 =20
8.0/updates/SRPMS/openssl095a-0.9.5a-24.8.legacy.src.rpm
a13a09ee098c126ab7b452f13ae49cc870e0d5d2 =20
8.0/updates/SRPMS/openssl096-0.9.6-24.8.legacy.src.rpm
95ab8bd7b6e649f3e7995830e8f15c3fd55e83bd =20
8.0/updates/SRPMS/openssl-0.9.6b-36.8.legacy.src.rpm
f15faf931188fcc4991cd692eba88ef4dd3e670e =20
8.0/updates/i386/openssl095a-0.9.5a-24.8.legacy.i386.rpm
5fad5ab9fdbbf48cd725cb9d7edb853f651b0893 =20
8.0/updates/i386/openssl096-0.9.6-24.8.legacy.i386.rpm
bb6c9804df5d4214ca80474f2f3e87ddfe298908 =20
8.0/updates/i386/openssl-0.9.6b-36.8.legacy.i386.rpm
d49da33be792303a8ea3295076b3a7e5c7a29ea1 =20
8.0/updates/i386/openssl-0.9.6b-36.8.legacy.i686.rpm
7a2494d638beb99b939480fac7d27885b68137e8 =20
8.0/updates/i386/openssl-devel-0.9.6b-36.8.legacy.i386.rpm
7a01c363409dae773a9b7b678abd5c511a580a62 =20
8.0/updates/i386/openssl-perl-0.9.6b-36.8.legacy.i386.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2003-0851http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0081
https://rhn.redhat.com/errata/RHSA-2004-119.html
https://bugzilla.fedora.us/show_bug.cgi?id=3D1395
9. Contact:
The Fedora Legacy security contact is <[email protected]>. More
project details at http://www.fedoralegacy.org
=2D ---------------------------------------------------------------------
=2D --=20
Jesse Keating RHCE (http://geek.j2solutions.net)
=46edora Legacy Team (http://www.fedoralegacy.org)
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAnQ1M4v2HLvE71NURAn5/AJ0VIZVW0sE5bgCtYGuUgQfx1RrcNQCguLPc
Ykda1gyXWPnCmEcqzx1IPRw=3D
=3D4X2Q
=2D----END PGP SIGNATURE-----
