Overview
OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) protocol. A remotely exploitable vulnerability exists in OpenSSL servers that could lead to the execution of arbitrary code on the server.
Description
Versions of OpenSSL servers prior to 0.9.6e and pre-release version 0.9.7-beta2 contain a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by a client using a malformed key during the handshake process with an SSL server connection using the SSLv2 communication process. |
Impact
Exploitation of this vulnerability could lead to the execution of arbitrary code on the server. The code will be executed with the privileges of the application or service exploited via this vulnerability. |
Solution
OpenSSL servers should apply the patches provided by your vendors, or upgrade to OpenSSL 0.9.6e. Note that applications statically linking to OpenSSL libraries may need to be recompiled with the corrected version of OpenSSL. |
Servers can disable SSL2 or disable all applications using SSL or TLS until the patches are applied. |
Vendor Information
Apple Computer Inc. Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
The vulnerabilities described in this note are fixed with Security Update 2002-08-02.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Covalent Affected
Notified: July 30, 2002 Updated: September 17, 2002
Status
Affected
Vendor Statement
Covalent Technologies has been informed by RSA Security that the BSAFElibraries used in Covalent's SSL implementations are potentiallyvulnerable to the SSL V2 negotiation issue detailed in VU#102795 and the related CA-2002-23 and CA-2002-27advisories. All Covalent products using SSL are affected. Covalent hasproduct updates and additional information available at:
http://www.covalent.net/products/rotate.php?page=110
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
Please see http://www.debian.org/security/2002/dsa-136
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
Debian Security Advisory DSA-136-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
July 30, 2002
- ------------------------------------------------------------------------
Package : openssl
Problem type : multiple remote exploits
Debian-specific: no
CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
The OpenSSL development team has announced that a security audit by A.L.
Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.
CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue.
These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and
openssl_0.9.6c-2.woody.0.
These vulnerabilities are also present in Debian 2.2 (potato), but no
fix is available at this moment.
We recommend you upgrade your OpenSSL as soon as possible. Note that you
should restart any daemons running SSL. (E.g., ssh or ssl-enabled
apache.)
- ------------------------------------------------------------------------
Obtaining updates:
By hand:
wget URL
will fetch the file for you.
dpkg -i FILENAME.deb
will install the fetched file.
With apt:
deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates
Additional information can be found on the Debian security webpages
at http://www.debian.org/security/
- ------------------------------------------------------------------------
Debian 3.0 (stable)
- -------------------
Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel
, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.dsc
Size/MD5 checksum: 782 de4c7b85648c7953dc31d3a89c38681c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.diff.gz
Size/MD5 checksum: 42270 e9fbf71f583f1727222eddb8f023472a
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.dsc
Size/MD5 checksum: 781 534406f61e0229e92f506e9bc92fdaf1
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.diff.gz
Size/MD5 checksum: 45542 f4683a2fb7adc0fef97a31ac141e3acd
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.diff.gz
Size/MD5 checksum: 38251 ee919ba698cbbfebcf922b19e05bbfeb
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.dsc
Size/MD5 checksum: 731 370bd2a3bb4bd957c571b7e0e51837ce
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4
Architecture independent packages:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.0_all.deb
Size/MD5 checksum: 978 550d56ffa53e3e8ef26087b1fef5a1c5
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 735692 786b81d45374fa91a204a578d09dea6b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 1550722 ac0d245d8d2e744d688c2778382513da
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 570630 c46d9dcac74f3766a48d8fe36d8dcb05
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 741398 9a081e5359cdf46e56a1854bcbff7af3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 1434262 b9014a44cbefabce2c446b5b7be640f9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 564284 be33bde9b00138d7ab6639daf9dc4cfe
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 731384 101d86cf6e2e274e5a811a38f5956b2d
http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.0_i386.deb
Size/MD5 checksum: 357908 49dd8e2dc866b9bd7639c5e7576e7519
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 462026 859c8e6439943d597db12d47ec1ee496
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 1293384 3e605b6e1abc0b0f40c6ec3ddf2b9419
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.0_i386.deb
Size/MD5 checksum: 400048 7495feff7cbcae0f816641b8d7537ad1
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 1614810 48c24d1b8c221e51a1e6f789b2621b40
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 763034 13e3e71cc06198e6a481d958854a1f78
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 710254 792b4575a78dafac7f99919d9c5a9f78
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 717276 4a2d38551b10dc1316bd3479d044261b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 482968 f37975dfb58f53950e98e8adce007cd9
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 1415580 e87350a24e7d0bc4558cc09711246eab
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 1409480 70e26b6de02b0749e9d30fb4e8d0bbc3
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 475990 1f96c9c2528316857598262b40a9b9ca
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 716482 a89cfa547f585e6858593506ed9b2257
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 501824 bfca4d6a8e3b348abb8ed97453349752
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 726122 9db6440fb0765c1360a7c09dec78f404
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 1386244 06a403323563b590311b1297e4f63a5d
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 730124 6585907e414d4508a66460649de0c701
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 1310886 d6e233ab6d3f1ebe4fd9b479713ee662
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 495844 afb314f4d0113175d27435485ba2de07
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 736604 ebd2b62518e0602fbf1027686c0eb5e5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 484136 e26006714e97d77159f2d0773e00e636
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 1343554 76c3efda7e4a3470c5276cefa63a2448
- --
- ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBPUaKwajZR/ntlUftAQGXkQL/anYU8ZtJFkL/TMGvoXl/flgBSbUoJ8eH
sIDsZWuh0DIJmo7vy8bXlzjTUM0Cwal5q3ZkQ4RJJjY35rWGh0uFT2tfUMYsrSR9
H/qMh54TrQl3eVSM2F1IvmFE0jTnZGD+
=TZ0F
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Updated: August 09, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------
PACKAGE :openssl
SUMMARY :denial of service / remote root exploit
DATE :2002-07-30 16:15:00
- --------------------------------------------------------------------
OVERVIEW
Multiple potentially remotely exploitable vulnerabilities has been found in
OpenSSL.
DETAIL
1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (http://www.neohapsis.com/) who have also
demonstrated that the vulerability is exploitable. Exploit code is
NOT available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and
overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and
overrun a stack-based buffer. This issues only affects OpenSSL
0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too
small on 64 bit platforms.
The full advisory can be read at
http://www.openssl.org/news/secadv_20020730.txt
SOLUTION
It is recommended that all Gentoo Linux users update their systems as
follows.
emerge --clean rsync
emerge openssl
emerge clean
After the installation of the updated OpenSSL you should restart the services
that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
Also, if you have an application that is statically linked to openssl you will
need to reemerge that application to build it against the new OpenSSL.
- --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
- --------------------------------------------------------------------
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
See http://www.linuxsecurity.com/advisories/other_advisory-1338.html.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory July 30, 2002 |
| http://www.engardelinux.org/ ESA-20020730-019 |
| |
| Packages: openssl, openssl-misc |
| Summary: several vulnerabilities in the openssl library. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There are several potentially exploitable vulnerabilities in the OpenSSL
toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd
and The Bunker (http://www.thebunker.net/) under the DARPA program
CHATS. Through this review, the following vulnerabilities were
discovered:
1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (http://www.neohapsis.com/) who have
also demonstrated that the vulnerability is exploitable.
2. The session ID supplied to a client in SSL3 could be oversized and
overrun a buffer.
3. Various buffers for ASCII representations of integers were too
small on 64 bit platforms.
4. The ASN1 parser can be confused by supplying it with certain
invalid encodings.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3,
and CAN-2002-0659 to issue 4.
SOLUTION
- --------
Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh files
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv files
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux Community
Edition.
Source Packages:
SRPMS/openssl-0.9.6-1.0.16.src.rpm
MD5 Sum: 158ff68fb5474993694d1dd3f623b921
Binary Packages:
i386/openssl-0.9.6-1.0.16.i386.rpm
MD5 Sum: 9f7bd4009f352a3a3a3519c97ebe988d
i386/openssl-misc-0.9.6-1.0.16.i386.rpm
MD5 Sum: 281794e60d923df695f6bcf8aa17055b
i386/openssl-devel-0.9.6-1.0.16.i386.rpm
MD5 Sum: 18b3ecd6b9d210180457caeb50a1331e
i686/openssl-0.9.6-1.0.16.i686.rpm
MD5 Sum: 872eadde6cb52bcf93fae967c72949b1
i686/openssl-misc-0.9.6-1.0.16.i686.rpm
MD5 Sum: 3baf870cbc35f3425cbd3110714ca3ed
i686/openssl-devel-0.9.6-1.0.16.i686.rpm
MD5 Sum: 718f5a6c89fac22f338177134fd5e6bd
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
OpenSSL's Official Web Site:
http://www.openssl.org/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020730-019-openssl,v 1.2 2002/07/30 12:05:04 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9RpOJHD5cqd57fu0RAgcDAKCJ9ZLCQT+syCgSTwGR24vWbnxavwCgoUnm
JbqLWW/qISBmKIMfBsSgR5c=
=edXn
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP Support Information Digests
===============================================================================
o Security Bulletin Digest Split
------------------------------
The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.
To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:
http://www.itresourcecenter.hp.com/
Under the Maintenance and Support Menu, click on the "more..." link.
Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password.
Under the notifications section (near the bottom of the page), select
Support Information Digests.
To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page.
o IT Resource Center World Wide Web Service
---------------------------------------------------
If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:
http://www.itresourcecenter.hp.com/
Login using your IT Resource Center User ID and Password.
Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest.
===============================================================================
Digest Name: daily HP Secure OS Software for Linux security bulletins digest
Created: Wed Aug 7 3:00:03 PDT 2002
Table of Contents:
Document ID Title
--------------- -----------
HPSBTL0207-055 Security vulnerability in openssl (ref. 1)
The documents are listed below.
-------------------------------------------------------------------------------
Document ID: HPSBTL0207-055
Date Loaded: 20020730
Title: Security vulnerability in openssl (ref. 1)
TEXT
---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBTL0207-055
Originally issued: 30 July '02
** Rev. 1 ** 06 August '02
---------------------------------------------------------------
The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.
Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company.
---------------------------------------------------------------
PROBLEM: Updated OpenSSL packages fix several vulnerabilities
PLATFORM: Any system running HP Secure OS Software for Linux Release 1.0
DAMAGE: Potential for remotely exploitable buffer overflow
SOLUTION: Apply the appropriate RPMs (see section B below)
MANUAL ACTIONS: None
AVAILABILITY: The RPMs are available now.
CHANGE SUMMARY: Rev. 1 Updated OpenSSL packages are available
(RHSA-2002:160)
---------------------------------------------------------------
A. Background
OpenSSL is a commercial-grade, full-featured, and Open Source
toolkit which implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library. A security
audit of the OpenSSL code sponsored by DARPA found several
buffer overflows in OpenSSL which affect versions 0.9.7 and
0.9.6d and earlier.
** Rev. 1 **
>>> Additional OpenSSL security vulnerabilities were found,
corrected and updated in the RPM packages previously made available
under Red Hat Security Advisory number RHSA-2002:155.
B. Fixing the problem
Hewlett-Packard Company recommends that customers install the RPMs
listed in the following Red Hat Security Advisory in the section
labeled "Red Hat Linux 7.1 i386".
** Rev. 1 **
>>> 2002-08-05 RHSA-2002:160 Updated openssl packages fix protocol
parsing bugs
>>> http://rhn.redhat.com/errata/RHSA-2002-160.html
To install the security bulletin RPMs, use the following sequence
of commands:
1. If you use the tripwire product, we recommend that you run a
a consistency check and fix any violations before installing
the security bulletin RPM.
tripwire --check --interactive
2. Install the bulletin RPM from the root account.
rpm -F <bulletin RPM name>
3. Update the tripwire database
tripwire --check --interactive
NOTE:
The rpm -q <package name> command can be used to determine if the
package is installed. Hewlett-Packard Company recommends applying the
Security Bulletin fixes to installed packages only. The -F option
to the RPM installer will only apply the fix if the package is
currently installed on the system. Dependent RPMs can be found by
using the "Find Latest RPMs" search facility at
http://www.redhat.com/apps/download. To find the latest dependent
RPM enter the RPM's name in the "By Keyword" box.
C. To subscribe to automatically receive future HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:
Use your browser to access the HP IT Resource Center page
at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login
using your ID and password. Use your existing login or the
"Register" button at the left to create a login. Remember to
save the User ID assigned to you, and your password. This
login provides access to many useful areas of the ITRC.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server. You may also get the security-alert PGP key by
sending a message with a -subject- (not body) of
'get key' (no quotes) to security-alert@hp.com.
Permission is granted for copying and circulating this bulletin to
Hewlett-Packard Company (HP) customers (or the Internet community)
for the purpose of alerting them to problems, if and only if, the
bulletin is not edited or changed in any way, is attributed to HP,
and provided such reproduction and/or distribution is performed
for non-commercial purposes.
Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.
---------------------------------------------------------------
-----End of Document ID: HPSBTL0207-055--------------------------------------
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
IBM's AIX operating system does not ship with OpenSSL; however, OpenSSL is
available for installation on AIX via the Linux Affinity Toolkit. The
version included on the Toolkit CD is vulnerable to the issues discussed
here as will as the version of OpenSSL available for downloading from the
IBM Linux Affinity website. Anyone running this version is advised to
upgrade to the new version available from the website. This will be
available within the next few days and can be downloaded from
http://www6.software.ibm.com/dl/aixtbx/aixtbx-p
This site contains Linux Affinity applications using cryptographic
algorithms. New users to this site are asked to register first.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Affected
Updated: August 16, 2002
Status
Affected
Vendor Statement
Juniper has determined that our JUNOS Internet software (on M- and T-series routers) and the software running on our SDX and SSC products are potentially susceptible to the security vulnerabilities in OpenSSL. Corrected software images will be available for customer download shortly.
Software for our G10 CMTS product and our ERX products is unaffected by these vulnerabilities.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Updated: September 23, 2002
Status
Affected
Vendor Statement
Mandrake Linux update advisory MDKSA-2002:046-1 fixes all of these issues in OpenSSL. Please see
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: July 29, 2002 Updated: September 23, 2002
Status
Affected
Vendor Statement
Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-009
=================================
(updated 2002/9/22)
Topic:Multiple vulnerabilities in OpenSSL code
Version:NetBSD-current: source prior to August 10, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not applicable
pkgsrc: prior to openssl-0.9.6f
Severity:Potential for remote root exploit
Fixed:NetBSD-current:August 10, 2002
NetBSD-1.6 branch:August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch:August 31, 2002
pkgsrc:openssl-0.9.6f (or later)
NOTE: previous advisory had fixed dates prior to August 10.
There were errors found in the vendor-supplied fix, therefore
the fixed dates were modified. Sorry for the confusion and
thanks for the patience.
NOTE: previous revision of advisory suggested that 1.5 branch
was fixed on August 1, however the fix was found to be
insufficient. Therefore, users of 1.5 should apply the fix
presented in this revised advisory. Sorry for the confusion
and thanks for the patience.
NOTE: previous revision of advisory suggested that 1.5 branch
can be fixed by rebuilding part of the source code tree (shared
library). However, it was incorrect. Follow the instruction below
and perform a full build. Sorry for the confusion and thanks for
the patience.
Abstract
========
There are multiple vulnerabilities found in openssl 0.9.6e and prior
releases. There are four remotely-exploitable buffer overruns in SSL2/3
code. The ASN1 parser can be confused by invalid encodings (SSL/TLS
code affected).
None of these services are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system would become
vulnerable.
- From the OpenSSL advisory:
"Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable."
After the above advisory was published,
- 0.9.6e was found to be vulnerable, and 0.9.6f was released.
- 0.9.6f had some build framework errors, and 0.9.6g was released.
The NetBSD fix includes OpenSSL 0.9.6g.
Technical Details
=================
http://www.openssl.org/news/secadv_20020730.txt
http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php
Solutions and Workarounds
=========================
The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
The following instructions describe how to upgrade your libcrypto/libssl
binaries by updating your source tree and rebuilding and
installing a new version of libcrypto/libssl.
Be sure to restart running instances of programs that use crypto libraries
(like sshd) after upgrading shared libraries.
If you have any statically-linked binaries that linked against a
vulnerable libcrypto and/or libssl, you need to recompile them.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-10
should be upgraded to NetBSD-current dated 2002-08-10 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \
lib/libcrypto lib/libssl
# make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-11 or later should be used.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \
crypto/dist/openssl lib/libcrypto lib/libssl
# make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5.x dated from before 2002-08-31
should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl
large number of shared libraries has to be rebuilt:
crypto/Makefile.openssl
crypto/dist/openssl
lib/libasn1
lib/libcom_err
lib/libcrypto
lib/libgssapi
lib/libhdb
lib/libkadm
lib/libkadm5clnt
lib/libkadm5srv
lib/libkafs
lib/libkdb
lib/libkrb
lib/libkrb5
lib/libkstream
lib/libroken
lib/libsl
lib/libss
lib/libtelnet
usr.bin/openssl
All userland tools that use openssl needs to be rebuilt, due to the
shlib major bump. Therefore, full rebuild is suggested. Make sure to
rebuild all binaries installed by pkgsrc as well.
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-5 <directories listed above>
# make build
* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
OpenSSL was not included in the base system in NetBSD-1.4.*
Follow the directions for pkgsrc if you have installed it from
pkgsrc.
* pkgsrc:
openssl (pkgsrc/security/openssl) prior to 0.9.6f are
vulnerable. Upgrade to openssl-0.9.6f or later; pkgsrc
currently contains 0.9.6g at time of this writing.
Packages which require openssl can be found by running 'pkg_info
openssl'. Depending on the method you choose to update pkgsrc
packages, a rebuild of the packages on that list may be
performed for you by the package system. If you update using the
experimental 'make replace' target, you will need to manually
update any packages which build static binaries with libssl.a
and libcrypto.a
If you have statically linked binaries in pkgsrc, they have to be
rebuilt. Statically linked binaries can be identified by the
following command (note: be sure to include the directory you install
pkgsrc binaries to, if you've changed LOCALBASE from the default of
/usr/pkg)
file /usr/pkg/{bin,sbin,libexec} | grep static
Thanks To
=========
A.L. Digital Ltd and John McDonald of Neohapsis.
Adi Stav and James Yonan.
CERT and the OpenSSL team.
Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD
source tree, and preparing the initial advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
Revision History
================
2002-08-01Initial release based on 0.9.6e
2002-08-11based on 0.9.6f
2002-08-311.5 pullup done, 0.9.6g
2002-09-16Re-release with updated information
More Information
================
An up-to-date PGP signed copy of this release will be maintained at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-009.txt,v 1.39 2002/09/23 01:57:19 itojun Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPY51AD5Ru2/4N2IFAQEjJQP9GumaWgktTcobgsO+3Iq+x0Adg/fTMZ4r
hUPQNT1wTAFep9iSGJz+f8G4CvJjvbzplHhvcjPL14zbs+8U/cZhjeeLibJKgoCt
7Hwu9QLq12x0VlUoj0G1HJSQFKBO/+zFvCSxF1M/+pldOv6mfoEHygBM/xoRPHUI
z5G1Uv/irT8=
=ELua
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenLDAP Affected
Notified: July 30, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
Rebuilding OpenLDAP with updated versions of OpenSSL should adequately address reported issues. Those using packaged versions of OpenLDAP should contact the package distributor for update information.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenPKG Affected
Updated: August 09, 2002
Status
Affected
Vendor Statement
See http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.008 30-Jul-2002
________________________________________________________________________
Package: openssl
Vulnerability: denial of service / remote root exploit
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG CURRENT
Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d
Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e
Dependent Packages: apache apache
curl bind
fetchmail cadaver
imapd cpu
inn curl
links dsniff
lynx exim
mutt fetchmail
openldap imapd
openssh inn
perl-ssl links
postfix lynx
postgresql mutt
qpopper neon
samba openldap
sasl openssh
scanssh openvpn
sendmail perl-ssl
siege postfix
sitecopy postgresql
snmp qpopper
stunnel rdesktop
tcpdump samba
w3m sasl
scanssh
sendmail
siege
sitecopy
snmp
stunnel
sysmon
tcpdump
w3m
Description:
According to an official security advisory from the OpenSSL team,
there are four remotely exploitable buffer overflows that affect
various OpenSSL client and server implementations [5]. There are
also parsing problems in the ASN.1 library used by OpenSSL. The
Common Vulnerabilities and Exposures (CVE) project assigned the
ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
could be used by a remote attacker to execute arbitrary code on the
target system. All could be used to create a denial of service.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). Additionally, you have to rebuild and reinstall all
dependent OpenPKG packages, too. [2]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4], fetch it from the OpenPKG FTP service [3] or a mirror location,
verify its integrity [1], build a corresponding binary RPM from it
and update your OpenPKG installation by applying the binary RPM [2].
For the latest OpenPKG 1.0 release, perform the following operations
to permanently fix the security problem (for other releases adjust
accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.0/UPD
ftp> get openssl-0.9.6b-1.0.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm
$ <prefix>/bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm
Now proceed and rebuild and reinstall all dependent OpenPKG packages,
too (see list above).
________________________________________________________________________
References:
[1] http://www.openpkg.org/security.html#signature
[2] http://www.openpkg.org/tutorial.html#regular-source
[3] ftp://ftp.openpkg.org/release/1.0/UPD/
[4] ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm
[5] http://www.openssl.org/news/secadv_20020730.txt
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH
4xsAoKTteo/qotFgoki3JYpuGufyp4vL
=k9ol
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenSSL Affected
Notified: July 22, 2002 Updated: July 30, 2002
Status
Affected
Vendor Statement
Please see http://www.openssl.org/news/secadv_20020730.txt.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Oracle Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
Please see http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Oracle Security Alert #37
Dated: 1 August, 2002
Updated: 5 August, 2002
OpenSSL Security Vulnerability
Products affected:
Oracle HTTP Server (OHS) shipped with the database up to and
including version 9.2.0.
Oracle9iAS versions earlier than 9.0.2, including all versions
1.0.2.x.
CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1,
3.1.2, and 3.3 on Windows 98, NT, 2K, XP.
Description:
There are remotely exploitable buffer overflow vulnerabilities in
OpenSSL versions prior to 0.9.6e.
These vulnerabilities may allow a remote attacker to execute
arbitrary code or perform a denial-of-service (DoS) attack.
These problems are described in the OpenSSL Security Advisory [30
July 2002]:
[25]http://www.openssl.org/news/secadv_20020730.txt
These problems are also described in CERT Advisory CA-2002-23:
[26]http://www.cert.org/advisories/CA-2002-23.html
Workarounds:
There are no workarounds against the potential denial-of-service
attack. Disabling SSL should prevent remote execution of code.
Users of Corporate Time Outlook Connector can disable TLS by adding
the following section to the CTOC.INI file:
[CTOC]
allow-tls=FALSE
NOTE:
Disabling SSL or TLS will result in data being transmitted in the
clear (i.e. unencrypted), including passwords when using Basic
Authentication.
Patch Information:
Patches will be made available on MetaLink for Patch 2492925 as
scheduled in the following table:
Product Download Release Solaris NT HPUX Linux AIX TRU64
iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02
08/15/02
iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02
08/09/02
iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02
08/12/02
iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02
08/14/02
RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02
08/08/02 08/08/02
RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02
08/13/02 08/13/02
RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02
08/16/02 08/16/02
Upgrade Information:
New releases of the Corporate Time Outlook Connector will address
this vulnerability.
The following releases are scheduled to be released around 16
August, 2002:
1. CorporateTime Outlook Connector 3.3.1
2. Oracle Outlook Connector 3.4
Copyright © 2002, Oracle Corporation. All rights reserved.
[27]Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy
Statement
References
25. http://www.openssl.org/news/secadv_20020730.txt
26. http://www.cert.org/advisories/CA-2002-23.html
27. http://otn.oracle.com/contact
28. http://www.oracle.com/html/index.html?copyright.html
29. http://www.oracle.com/html/index.html?privacy.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.
RSA Security Affected
Updated: September 13, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Affected
Vendor Statement
Red Hat distributes affected versions of OpenSSL in all Red Hat Linux distributions as well as the Stronghold web server. Red Hat Linux errata packages that fix the above vulnerabilities (CAN-2002-0655 and CAN-2002-0656) are available from the URL below. Users of the Red Hat Network are able to update their systems using the 'up2date' tool. A future update will fix the potential remote DOS in the ASN.1 encoding (CAN-2002-0659).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Secure Computing Corporation Affected
Updated: September 30, 2002
Status
Affected
Vendor Statement
In response to the CERT Advisory CA-2002-23, Secure Computing has posted a software patch for all users of the SafeWord PremierAccess version 3.1 authentication system. All existing and new customers are advised to download and apply PremierAccess Patch 1. Patch 1(3.1.0.01) is available for immediate web download at
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Affected
Updated: September 23, 2002
Status
Affected
Vendor Statement
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: openssl/Slapper worm
Announcement-ID: SuSE-SA:2002:033
Date: Thu Sep 19 2002
Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
SuSE Linux Database Server,
SuSE eMail Server III,
SuSE eMail Server 3.1,
SuSE Linux Enterprise Server,
SuSE Linux Firewall on CD,
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Vulnerability Type: buffer overflow
Severity (1-10): 9
SuSE default package: yes
Cross References:CVE CAN-2002-0655, CAN-2002-0656,
CAN-2002-0659, SuSE-SA:2002:027
Content of this advisory:
1) vulnerabilities in openssl libraries; Slapper worm
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
This advisory is issued in an attempt to clarify any issues
surrounding the recently discovered Apache/mod_ssl worm.
On July 30, we released a security advisory concerning vulnerabilities
in OpenSSL, including a buffer overflow in the SSL code. This
vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory
http://www.cert.org/advisories/CA-2002-23.html) is currently being
exploited by a worm called Slapper, propagating through Apache's
mod_ssl module.
It is worth noting that even though the worm infects Apache through
mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
the OpenSSL library used by mod_ssl.
This also means that Apache may not be the only service vulnerable
to an attack via the SSL bug. Similar exploits may be possible
against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
services.
As a workaround, it is also possible to disable SSLv2 in mod_ssl
(as described in our previous advisory SuSE-SA:2002:027;
http://www.suse.com/de/security/2002_027_openssl.html), but you
should be aware that this does not protect other SSL based servers
that may be running on your machine.
We have received numerous inquiries from SuSE users on whether the
update packages provided by SuSE as part of SA:2002:027 fix this bug
even though they do not contain the latest OpenSSL version recommended
in various advisories.
To clarify this, we would like to state that these packages DO FIX
the bug exploited by the Slapper worm. Following established policy,
we did this by applying a source code patch instead of upgrading to
a newer version, because the latter usually causes serious problems
for many users (in particular, different versions of OpenSSL libraries
are not always API compatible).
However, it turns out that a number of packages were statically
linked against OpenSSL libraries:
mod_ssl (SuSE Linux 7.0):
We have released rebuilt mod_ssl packages linked against the
most recent OpenSSL libraries.
If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl,
too.
sendmail-tls (SuSE Linux 7.1, 7.2, 7.3):
Sendmail-tls, the SSL enabled version of sendmail, was linked
statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security
impact of this problem is probably the same as with Apache and
mod_ssl.
We are releasing rebuilt packages linked against the most
OpenSSL libraries.
Sendmail-tls is not part of the default installation profile.
If you are using sendmail-tls, we strongly recommend you upgrade
to the latest packages provided on our FTP servers.
openssh (SuSE Linux 7.1, 7.2 and 7.3):
Ssh and sshd do not use any SSL functionality, and thus are not
susceptible to the type of attack carried out by the Slapper worm.
To date, we are not aware of any way to exploit them. We nevertheless
recommend to upgrade to the latest versions provided on our FTP site.
freeswan (SuSE Linux 7.1, 7.2):
FreeSWAN includes a utility named fswcert for creating and
manipulating X.509 certificates, which is also linked statically
against libcrypto.
To date, we are not aware of any way to exploit them. We
nevertheless recommend to upgrade to the latest versions provided
on our FTP site as soon as they become available (2002 Sep 20).
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
mod_php4:
we are preparing an update of mod_php4 addressing various
vulnerabilities that have been published recently.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
package file.
Prerequisites:
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.
=====================================================================
SuSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv
iQEUAwUBPYrQdney5gA9JdPZAQEx+wf1GPGG2o1vDa1V/jqaL6typ0jNlq1Rb8nG
lcI3Dp5V3lKBCOmMkRLdBE6+FNCRaEi6dN001WzJFsAMt4QjxW3Zk3ix8vRwPdgw
1jVSJkh+7yKQttMki7ff2SmmEbVBg+kmnVKq0GRQoOJlVN7L7RdzyjdMyYwnqxRG
T37bZMwgl+76qkZWuVNKwukRYkopb6PT5nszVjSFwcX69yTu+tO5Y0INyHi6dWXY
b8nxN24Lg0DSTgH85bG8fW1Ad02o9Iv7RPS6W1Geu+yq8TgxES9oCZatltU6r4yX
F2AjkRMipCagdHc+aMSCtnoFC3Yes/vySJUE80iTbCy9dno5eJ/a
=pVWJ
-----END PGP SIGNATURE-----
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Trustix Affected
Updated: August 09, 2002
Status
Affected
Vendor Statement
See http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt, and "Addition to Trustix Secure Linux Bugfix Advisory #2002-0063" below.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0063
Package name: openssl
Summary: Multiple security problems
Date: 2002-07-29
Affected versions: TSL 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description:
Several severe security problems have been found in the openssl source
code which upon the TSL openssl packages are based. Most of these
vulnerabilities have a potential for remote expoitation, even though no
exploits are currently released.
The upstream development group have provided us with patches that fixes
the problems.
These issues have been asigned the following CVE names:
CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659.
More information:
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655>
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656>
<URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659>
Action:
We recommend that all systems with this package installed are upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All TSL updates are available from
<URI:http://www.trustix.net/pub/Trustix/updates/>
<URI:ftp://ftp.trustix.net/pub/Trustix/updates/>
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>
Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:http://www.trustix.net/pub/Trustix/testing/>
<URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>
Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.net/errata/trustix-1.2/> and
<URI:http://www.trustix.net/errata/trustix-1.5/>
or directly at
<URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt>
MD5sums of the packages:
- --------------------------------------------------------------------------
0c51861ce4432c3f669657e2c4971c6f ./1.5/SRPMS/openssl-0.9.6-10tr.src.rpm
eb8a64dba138584b8085aec8d9ccaf0c ./1.5/RPMS/openssl-support-0.9.6-10tr.i586.rpm
9db293f035fbd82a3482ab87d3465eb2 ./1.5/RPMS/openssl-python-0.9.6-10tr.i586.rpm
582d08bb63676a33da1aa89a33a05914 ./1.5/RPMS/openssl-devel-0.9.6-10tr.i586.rpm
2d05569684b868cbacca9e389ded3f0f ./1.5/RPMS/openssl-0.9.6-10tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.2/SRPMS/openssl-0.9.6-3tr.src.rpm
84b50e02167b61a9d3093bcc055c7b45 ./1.2/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
b0c3b99917e1c69f593a74b9989a33f9 ./1.2/RPMS/openssl-0.9.6-3tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.1/SRPMS/openssl-0.9.6-3tr.src.rpm
111d6f3e42c2410a11ac4704036a31ef ./1.1/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
23d4bef487e86dfff1854f3f3c6fd867 ./1.1/RPMS/openssl-0.9.6-3tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9RSsqwRTcg4BxxS0RAgv0AJsGLRMNaZ2pmZdE4NRQCLgfRpNLygCdHfkE
3bFFVLoH4NXOBs+mT/i8T4E=
=Ydxh
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Addition to Trustix Secure Linux Bugfix Advisory #2002-0063
Package name: openssl
Summary: Restart services
Date: 2002-08-01
Affected versions: TSL 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description:
I really hope all of you have updated the openssl package. :)
Most of you know this already, and I'm sorry I didn't include this in
the openssl advisory earlier this week. But here it goes:
Since openssl is a shared library, all services linked against this
library must be restarted for the changes to take affect.
The list of services is long and includes (but are not limited to):
httpd (mod_php4 is linked against libssl)
httpsd
simap
pop3s
postfix
postgresql
smb (maybe also winbind)
sshd
Action:
We recommend that all services that are linked against openssl are
restarted.
Get SWUP from:
<URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>
Questions?
Check out our mailing lists:
<URI:http://www.trustix.net/support/>
Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:http://www.trustix.net/TSL-GPG-KEY>
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9SQ9hwRTcg4BxxS0RAvABAJ4jrAH8CyFLWpcGguZElQgdL88tmgCfXv2Z
AorvR78koxCwr7qGSPbZX+A=
=WAGZ
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Inktomi Corporation Not Affected
Updated: September 17, 2002
Status
Not Affected
Vendor Statement
As noted in the advisory, server log messages such as
GET /mod_ssl:error:HTTP-request HTTP/1.0
do not necessarily indicate access by a compromised system. Any HTTP request to a port expecting to serve HTTPS requests will generate this log message. The Inktomi web crawler follows URL links published on public web pages and is sometimes incorrectly directed to https servers. The crawler does not use Apache nor mod_ssl (nor any kind of SSL), so it is not subject to the compromise described in this advisory. But crawler requests can match two of the listed symptoms of the Apache/mod_ssl worm:
Probing -- Scanning on 80/tcp
Propagation -- Connections to 443/tcp
The crawler does not use port 2002 nor UDP. Port 80 access or HTTPS handshake errors from an Inktomi web crawler do not represent an attack on your web server.
Inktomi crawler systems have hostnames of the form
j[1-9][0-9][0-9][0-9].inktomisearch.com
si[1-9][0-9][0-9][0-9].inktomisearch.com
The IP addresses of Inktomi crawler hosts will reverse-DNS resolve to a name of this form.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The advisory mentioned in the statement above refers to CERT® Advisory CA-2002-27 Apache/mod_ssl Worm. It had initially misidentified early reports of log entries containing "GET /mod_ssl:error:HTTP-request HTTP/1.0" as potential signs of infection with the Apache/mod_ssk "Slapper" Worm.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lotus Development Corporation Not Affected
Notified: July 29, 2002 Updated: August 09, 2002
Status
Not Affected
Vendor Statement
Lotus products do not use OpenSSL or an SSLeay library, so they are not vulnerable. We further analyzed our SSL implementation for the issues reported in the advisory and determined that our products are not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Updated: September 26, 2002
Status
Not Affected
Vendor Statement
Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apache Unknown
Notified: July 30, 2002 Updated: August 09, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apache-SSL Unknown
Notified: July 29, 2002 Updated: August 09, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NCSA Unknown
Notified: July 30, 2002 Updated: August 09, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
The CERT/CC thanks Greg Shipley of Neohapsis for reporting this issue to us. John McDonald
This document was written by Jason A Rafail.
Other Information
CVE IDs: | CVE-2002-0656 |
CERT Advisory: | CA-2002-23 |
Severity Metric: | 17.63 |
Date Public: | 2002-07-30 |
Date First Published: | 2002-07-30 |
Date Last Updated: | 2002-09-30 20:51 UTC |
Document Revision: | 38 |