TUCoPS :: Web :: General :: dsa-288.htm

openssl - several vulnerabilities

Debian Security Advisory

DSA-288-1 openssl -- several vulnerabilities

Date Reported:
17 Apr 2003
Affected Packages:
openssl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CAN-2003-0147, CAN-2003-0131.
CERT's vulnerabilities, advisories and incident notes: VU#888801.
More information:

Researchers discovered two flaws in OpenSSL, a Secure Socket Layer (SSL) library and related cryptographic tools. Applications that are linked against this library are generally vulnerable to attacks that could leak the server's private key or make the encrypted session decryptable otherwise. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

CAN-2003-0147
OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key.
CAN-2003-0131
The SSL allows remote attackers to perform an unauthorized RSA private key operation that causes OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext.

For the stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.3.

For the old stable distribution (potato) these problems have been fixed in version 0.9.6c-0.potato.6.

For the unstable distribution (sid) these problems have been fixed in version 0.9.7b-1 of openssl and version 0.9.6j-1 of openssl096.

We recommend that you upgrade your openssl packages immediately and restart the applications that use OpenSSL.

Unfortunately, RSA blinding is not thread-safe and will cause failures for programs that use threads and OpenSSL such as stunnel. However, since the proposed fix would change the binary interface (ABI), programs that are dynamically linked against OpenSSL won't run anymore. This is a dilemma we can't solve.

You will have to decide whether you want the security update which is not thread-safe and recompile all applications that apparently fail after the upgrade, or fetch the additional source packages at the end of this advisory, recompile it and use a thread-safe OpenSSL library again, but also recompile all applications that make use of it (such as apache-ssl, mod_ssl, ssh etc.).

However, since only very few packages use threads and link against the OpenSSL library most users will be able to use packages from this update without any problems.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.6_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Architecture-independent component:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_sparc.deb

Debian GNU/Linux 2.2 (potato)

http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.dsc
http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.patch

Debian GNU/Linux 3.0 (woody)

http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.dsc
http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.patch

MD5 checksums of the listed files are available in the original advisory.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH