|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : openssl SUMMARY : Remote denial of service vulnerabilities DATE : 2004-03-31 16:49:00 ID : CLA-2004:834 RELEVANT RELEASES : 8, 9 - ------------------------------------------------------------------------- DESCRIPTION OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as full-strength general purpose cryptography functions. It's used (as a library) by several projects, like Apache, OpenSSH, Bind, OpenLDAP and many others clients and servers programs. This update fixes three denial of service vulnerabilities that affect OpenSSL versions distributed with Conectiva Linux: CAN-2004-0079: Null-pointer assignment during SSL handshake[3]. A remote attacker can exploit this vulnerability by performing a specially crafted SSL handshake that will crash the application. This vulnerability was discovered by the OpenSSL team using the Codenomicon TLS Test Tool and affects OpenSSL versions distributed with Conectiva Linux 8 (0.9.6c) and 9 (0.9.7a). CAN-2004-0081: Infinite loop when handling unknown TLS message types[4]. A remote attacker can exploit this vulnerability by sending specially crafted TLS messages, causing the application to enter an infinite loop. Conectiva Linux 9 (OpenSSL-0.9.7a) is not vulnerable to this issue. CAN-2004-0112: Out-of-bounds read with Kerberos ciphersuites[5]. Stephen Henson discovered a vulnerability in the SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker can exploit it to crash an application which uses Kerberos ciphersuites. The OpenSSL version distributed with Conectiva Linux 8 (OpenSSL-0.9.6c) is not vulnerable to this issue and there are no known applications using Kerberos ciphersuites in Conectiva Linux 9. SOLUTION All openssl users should upgrade. Please notice that in order to complete the upgrade process, you must restart all running aplications that are linked to openssl libraries after the new packages are installed. You can see a list of such applications using the lsof utility, as seen below: # lsof | egrep '(libcrypto|libssl)' Services (like apache and openssh daemons) can be restarted using the "service" command. For example: # service httpd restart # service sshd restart REFERENCES 1.http://www.openssl.org/ 2.http://www.openssl.org/news/secadv_20040317.txt 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0079 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0081 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0112 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_8cl.i 386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-0.9.6c-2U8 0_8cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-static-0.9.6 c-2U80_8cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-doc-0.9.6c-2U80 _8cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-progs-0.9.6c-2U8 0_8cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_8c l.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl0.9.7-0.9.7a-28910 U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-0.9.7a-289 10U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-devel-static-0.9.7 a-28910U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-doc-0.9.7a-28910 U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/openssl-progs-0.9.7a-289 10U90_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/openssl0.9.7-0.9.7a-289 10U90_2cl.src.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAayEU42jd0JmAcZARAs6OAJ4vuumdJWJFypgaplbaXWSyiXVKMQCg44Bz DT+Jr6ga5BKDkX2dxB6kc0I= =ZzSr -----END PGP SIGNATURE-----