|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.044 30-Sep-2003 ________________________________________________________________________ Package: openssl Vulnerability: denial of service, possibly arbitrary code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930 OpenPKG 1.3 <= openssl-0.9.7b-1.3.1 >= openssl-0.9.7b-1.3.2 OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4 Affected Releases: Dependent Packages: OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl distcache dsniff easysoap ethereal* exim fetchmail imap imapd imaputils inn jabberd kde-base kde-libs linc links lynx mailsync meta-core mico* mixmaster monit* mozilla mutt mutt15 nail neon nessus-libs nmap openldap openssh openvpn perl-ssl pgadmin php* pine* postfix* postgresql pound proftpd* qpopper rdesktop samba samba3 sasl scanssh sendmail* siege sio* sitecopy snmp socat squid* stunnel subversion suck sysmon tcpdump tinyca w3m wget xmlsec OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail imap imapd inn links lynx mico* mutt nail neon openldap openssh perl-ssl php* postfix* postgresql proftpd* qpopper rdesktop samba sasl scanssh sendmail* siege sio* sitecopy snmp socat squid* stunnel suck sysmon tcpdump tinyca w3m wget xmlsec OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn links lynx mico* mutt nail neon openldap openssh perl-ssl postfix* postgresql qpopper rdesktop samba sasl scanssh sendmail* siege sitecopy snmp socat stunnel sysmon tcpdump tinyca w3m wget (*) marked packages are only affected if certain build options ("with_xxx") were used at build time. See Appendix below for details. Description: According to an OpenSSL [0] security advisory [1], multiple vulnerabilities exist in OpenSSL versions up to and including 0.9.6j and 0.9.7b: 1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1 parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors (which is usually not the case, except for debugging purposes). 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This means that all OpenSSL based SSL/TLS servers can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the problems. Please check whether you are affected by running "<prefix>/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and it's dependent packages (see above), too. [5][6] Solution: Select the updated source RPM appropriate for your OpenPKG release [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror location, verify its integrity [11], build a corresponding binary RPM from it [5] and update your OpenPKG installation by applying the binary RPM [6]. For the current release OpenPKG 1.3, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.3/UPD ftp> get openssl-0.9.7b-1.3.2.src.rpm ftp> bye $ <prefix>/bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm $ <prefix>/bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm Additionally, we you have to rebuild and reinstall all dependent packages (see above), too. [5][6] ________________________________________________________________________ Appendix: Some packages are only affected if certain package options ("with_xxx") were used at build time. Please check whether you are affected by running "<prefix>/bin/rpm -qi <package>". The table below lists all those packages, their options and values that make up the difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2. Packages or options that were not available in a particular release are marked "=". package option "with_" CUR 1.3 1.2 ----------------------------------------- apache mod_ssl yes yes yes : mod_php_pgsql yes yes = : mod_php_openssl yes yes yes : mod_php_openldap yes yes yes : mod_php_imap yes yes = : mod_php3_openssl yes yes yes : mod_auth_ldap yes yes yes ethereal openssl yes yes yes mico ssl yes yes yes monit ssl yes = = php openssl yes yes = : imap yes yes = pine ssl yes = = postfix tls yes yes yes : ldap yes yes = proftpd pgsql yes yes = : ldap yes yes = sendmail tls yes yes yes : sasl yes yes yes : ldap yes yes yes sio bio yes yes = squid ssl yes yes = ________________________________________________________________________ References: [0] http://www.openssl.org/ [1] http://www.openssl.org/news/secadv_20030930.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 [5] http://www.openpkg.org/tutorial.html#regular-source [6] http://www.openpkg.org/tutorial.html#regular-binary [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm [8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm [9] ftp://ftp.openpkg.org/release/1.2/UPD/ [10] ftp://ftp.openpkg.org/release/1.3/UPD/ [11] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org> iD8DBQE/eX0UgHWT4GPEy58RAplhAJ0c+GMqHgDjrgIYdcCkgKi/jzgWtgCeLc5T B84GXRZS675YJYwrEc5Audk= =+vWe -----END PGP SIGNATURE-----