Apache Unknown

Notified:  July 30, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apache-SSL Unknown

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc. Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

The vulnerabilities described in this note are fixed with Security Update 2002-08-02.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Covalent Affected

Notified:  July 30, 2002 Updated: September 17, 2002

Status

Affected

Vendor Statement

Covalent Technologies has been informed by RSA Security that the BSAFE libraries used in Covalent's SSL implementations are potentially vulnerable to the SSL V2 negotiation issue detailed in VU#102795 and the related CA-2002-23 and CA-2002-27 advisories. All Covalent products using SSL are affected. Covalent has product updates and additional information available at:

http://www.covalent.net/products/rotate.php?page=110

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Please see http://www.debian.org/security/2002/dsa-136

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Debian Security Advisory DSA-136-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman July 30, 2002 Package : openssl Problem type : multiple remote exploits Debian-specific: no CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and openssl_0.9.6c-2.woody.0. These vulnerabilities are also present in Debian 2.2 (potato), but no fix is available at this moment. We recommend you upgrade your OpenSSL as soon as possible. Note that you should restart any daemons running SSL. (E.g., ssh or ssl-enabled apache.) Obtaining updates: By hand: wget URL will fetch the file for you. dpkg -i FILENAME.deb will install the fetched file. With apt: deb http://security.debian.org/ stable/updates main added to /etc/apt/sources.list will provide security updates Additional information can be found on the Debian security webpages at http://www.debian.org/security/ Debian 3.0 (stable) Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel , powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.dsc Size/MD5 checksum: 782 de4c7b85648c7953dc31d3a89c38681c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.diff.gz Size/MD5 checksum: 42270 e9fbf71f583f1727222eddb8f023472a http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.dsc Size/MD5 checksum: 781 534406f61e0229e92f506e9bc92fdaf1 http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.diff.gz Size/MD5 checksum: 45542 f4683a2fb7adc0fef97a31ac141e3acd http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.diff.gz Size/MD5 checksum: 38251 ee919ba698cbbfebcf922b19e05bbfeb http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.dsc Size/MD5 checksum: 731 370bd2a3bb4bd957c571b7e0e51837ce http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4 Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.0_all.deb Size/MD5 checksum: 978 550d56ffa53e3e8ef26087b1fef5a1c5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_alpha.deb Size/MD5 checksum: 735692 786b81d45374fa91a204a578d09dea6b http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_alpha.deb Size/MD5 checksum: 1550722 ac0d245d8d2e744d688c2778382513da http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_alpha.deb Size/MD5 checksum: 570630 c46d9dcac74f3766a48d8fe36d8dcb05 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_hppa.deb Size/MD5 checksum: 741398 9a081e5359cdf46e56a1854bcbff7af3 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_hppa.deb Size/MD5 checksum: 1434262 b9014a44cbefabce2c446b5b7be640f9 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_hppa.deb Size/MD5 checksum: 564284 be33bde9b00138d7ab6639daf9dc4cfe i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_i386.deb Size/MD5 checksum: 731384 101d86cf6e2e274e5a811a38f5956b2d http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.0_i386.deb Size/MD5 checksum: 357908 49dd8e2dc866b9bd7639c5e7576e7519 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_i386.deb Size/MD5 checksum: 462026 859c8e6439943d597db12d47ec1ee496 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_i386.deb Size/MD5 checksum: 1293384 3e605b6e1abc0b0f40c6ec3ddf2b9419 http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.0_i386.deb Size/MD5 checksum: 400048 7495feff7cbcae0f816641b8d7537ad1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_ia64.deb Size/MD5 checksum: 1614810 48c24d1b8c221e51a1e6f789b2621b40 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_ia64.deb Size/MD5 checksum: 763034 13e3e71cc06198e6a481d958854a1f78 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_ia64.deb Size/MD5 checksum: 710254 792b4575a78dafac7f99919d9c5a9f78 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mips.deb Size/MD5 checksum: 717276 4a2d38551b10dc1316bd3479d044261b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mips.deb Size/MD5 checksum: 482968 f37975dfb58f53950e98e8adce007cd9 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mips.deb Size/MD5 checksum: 1415580 e87350a24e7d0bc4558cc09711246eab mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mipsel.deb Size/MD5 checksum: 1409480 70e26b6de02b0749e9d30fb4e8d0bbc3 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mipsel.deb Size/MD5 checksum: 475990 1f96c9c2528316857598262b40a9b9ca http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mipsel.deb Size/MD5 checksum: 716482 a89cfa547f585e6858593506ed9b2257 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_powerpc.deb Size/MD5 checksum: 501824 bfca4d6a8e3b348abb8ed97453349752 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_powerpc.deb Size/MD5 checksum: 726122 9db6440fb0765c1360a7c09dec78f404 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_powerpc.deb Size/MD5 checksum: 1386244 06a403323563b590311b1297e4f63a5d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb Size/MD5 checksum: 730124 6585907e414d4508a66460649de0c701 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb Size/MD5 checksum: 1310886 d6e233ab6d3f1ebe4fd9b479713ee662 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb Size/MD5 checksum: 495844 afb314f4d0113175d27435485ba2de07 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_sparc.deb Size/MD5 checksum: 736604 ebd2b62518e0602fbf1027686c0eb5e5 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_sparc.deb Size/MD5 checksum: 484136 e26006714e97d77159f2d0773e00e636 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_sparc.deb Size/MD5 checksum: 1343554 76c3efda7e4a3470c5276cefa63a2448 Debian Security team http://www.debian.org/security/ Mailing-List: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQB1AwUBPUaKwajZR/ntlUftAQGXkQL/anYU8ZtJFkL/TMGvoXl/flgBSbUoJ8eH sIDsZWuh0DIJmo7vy8bXlzjTUM0Cwal5q3ZkQ4RJJjY35rWGh0uFT2tfUMYsrSR9 H/qMh54TrQl3eVSM2F1IvmFE0jTnZGD+ =TZ0F -----END PGP SIGNATURE-----

Gentoo Linux Affected

Updated:  August 09, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

GENTOO LINUX SECURITY ANNOUNCEMENT PACKAGE :openssl SUMMARY :denial of service / remote root exploit DATE :2002-07-30 16:15:00 OVERVIEW Multiple potentially remotely exploitable vulnerabilities has been found in OpenSSL. DETAIL 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The full advisory can be read at http://www.openssl.org/news/secadv_20020730.txt SOLUTION It is recommended that all Gentoo Linux users update their systems as follows. emerge --clean rsync emerge openssl emerge clean After the installation of the updated OpenSSL you should restart the services that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well. Also, if you have an application that is statically linked to openssl you will need to reemerge that application to build it against the new OpenSSL. Daniel Ahlberg aliz@gentoo.org

Guardian Digital Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

See http://www.linuxsecurity.com/advisories/other_advisory-1338.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | EnGarde Secure Linux Security Advisory July 30, 2002 | | http://www.engardelinux.org/ ESA-20020730-019 | | Packages: openssl, openssl-misc | | Summary: several vulnerabilities in the openssl library. EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW There are several potentially exploitable vulnerabilities in the OpenSSL toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) under the DARPA program CHATS. Through this review, the following vulnerabilities were discovered: 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulnerability is exploitable. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. Various buffers for ASCII representations of integers were too small on 64 bit platforms. 4. The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3, and CAN-2002-0659 to issue 4. SOLUTION Users of the EnGarde Professional edition can use the Guardian Digital Secure Network to update their systems automatically. EnGarde Community users should upgrade to the most recent version as outlined in this advisory. Updates may be obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh files You must now update the LIDS configuration by executing the command: # /usr/sbin/config_lids.pl To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signatures of the updated packages, execute the command: # rpm -Kv files UPDATED PACKAGES These updated packages are for EnGarde Secure Linux Community Edition. Source Packages: SRPMS/openssl-0.9.6-1.0.16.src.rpm MD5 Sum: 158ff68fb5474993694d1dd3f623b921 Binary Packages: i386/openssl-0.9.6-1.0.16.i386.rpm MD5 Sum: 9f7bd4009f352a3a3a3519c97ebe988d i386/openssl-misc-0.9.6-1.0.16.i386.rpm MD5 Sum: 281794e60d923df695f6bcf8aa17055b i386/openssl-devel-0.9.6-1.0.16.i386.rpm MD5 Sum: 18b3ecd6b9d210180457caeb50a1331e i686/openssl-0.9.6-1.0.16.i686.rpm MD5 Sum: 872eadde6cb52bcf93fae967c72949b1 i686/openssl-misc-0.9.6-1.0.16.i686.rpm MD5 Sum: 3baf870cbc35f3425cbd3110714ca3ed i686/openssl-devel-0.9.6-1.0.16.i686.rpm MD5 Sum: 718f5a6c89fac22f338177134fd5e6bd REFERENCES Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY OpenSSL's Official Web Site: http://www.openssl.org/ Security Contact: security@guardiandigital.com EnGarde Advisories: http://www.engardelinux.org/advisories.html $Id: ESA-20020730-019-openssl,v 1.2 2002/07/30 12:05:04 rwm Exp $ Author: Ryan W. Maple Copyright 2002, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9RpOJHD5cqd57fu0RAgcDAKCJ9ZLCQT+syCgSTwGR24vWbnxavwCgoUnm JbqLWW/qISBmKIMfBsSgR5c= =edXn -----END PGP SIGNATURE-----

Hewlett-Packard Company Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Support Information Digests o Security Bulletin Digest Split The security bulletins digest has been split into multiple digests based on the operating system (HP-UX, MPE/iX, and HP Secure OS Software for Linux). You will continue to receive all security bulletin digests unless you choose to update your subscriptions. To update your subscriptions, use your browser to access the IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password. Under the notifications section (near the bottom of the page), select Support Information Digests. To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page. o IT Resource Center World Wide Web Service If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under Maintenance and Support). You may then unsubscribe from the appropriate digest. Digest Name: daily HP Secure OS Software for Linux security bulletins digest Created: Wed Aug 7 3:00:03 PDT 2002 Table of Contents: Document ID Title HPSBTL0207-055 Security vulnerability in openssl (ref. 1) The documents are listed below. Document ID: HPSBTL0207-055 Date Loaded: 20020730 Title: Security vulnerability in openssl (ref. 1) TEXT HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBTL0207-055 Originally issued: 30 July '02 ** Rev. 1 ** 06 August '02 The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from the customer's failure to fully implement instructions in this Security Bulletin as soon as possible. Because the vulnerability does not require a HP Secure OS 1.0 patch or re-packaging of the RPM affected by the bulletin, the RPMs have not been produced or tested by Hewlett-Packard Company. PROBLEM: Updated OpenSSL packages fix several vulnerabilities PLATFORM: Any system running HP Secure OS Software for Linux Release 1.0 DAMAGE: Potential for remotely exploitable buffer overflow SOLUTION: Apply the appropriate RPMs (see section B below) MANUAL ACTIONS: None AVAILABILITY: The RPMs are available now. CHANGE SUMMARY: Rev. 1 Updated OpenSSL packages are available (RHSA-2002:160) A. Background OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. A security audit of the OpenSSL code sponsored by DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7 and 0.9.6d and earlier. ** Rev. 1 ** >>> Additional OpenSSL security vulnerabilities were found, corrected and updated in the RPM packages previously made available under Red Hat Security Advisory number RHSA-2002:155. B. Fixing the problem Hewlett-Packard Company recommends that customers install the RPMs listed in the following Red Hat Security Advisory in the section labeled "Red Hat Linux 7.1 i386". ** Rev. 1 ** >>> 2002-08-05 RHSA-2002:160 Updated openssl packages fix protocol parsing bugs >>> http://rhn.redhat.com/errata/RHSA-2002-160.html To install the security bulletin RPMs, use the following sequence of commands: 1. If you use the tripwire product, we recommend that you run a a consistency check and fix any violations before installing the security bulletin RPM. tripwire --check --interactive 2. Install the bulletin RPM from the root account. rpm -F 3. Update the tripwire database tripwire --check --interactive NOTE: The rpm -q command can be used to determine if the package is installed. Hewlett-Packard Company recommends applying the Security Bulletin fixes to installed packages only. The -F option to the RPM installer will only apply the fix if the package is currently installed on the system. Dependent RPMs can be found by using the "Find Latest RPMs" search facility at http://www.redhat.com/apps/download. To find the latest dependent RPM enter the RPM's name in the "By Keyword" box. C. To subscribe to automatically receive future HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to access the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login. Remember to save the User ID assigned to you, and your password. This login provides access to many useful areas of the ITRC. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server. You may also get the security-alert PGP key by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this bulletin to Hewlett-Packard Company (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. -----End of Document ID: HPSBTL0207-055--------------------------------------

IBM Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

IBM's AIX operating system does not ship with OpenSSL; however, OpenSSL is available for installation on AIX via the Linux Affinity Toolkit. The version included on the Toolkit CD is vulnerable to the issues discussed here as will as the version of OpenSSL available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to upgrade to the new version available from the website. This will be available within the next few days and can be downloaded from http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications using cryptographic algorithms. New users to this site are asked to register first.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Inktomi Corporation Not Affected

Updated:  September 17, 2002

Status

Not Affected

Vendor Statement

As noted in the advisory, server log messages such as GET /mod_ssl:error:HTTP-request HTTP/1.0 do not necessarily indicate access by a compromised system. Any HTTP request to a port expecting to serve HTTPS requests will generate this log message. The Inktomi web crawler follows URL links published on public web pages and is sometimes incorrectly directed to https servers. The crawler does not use Apache nor mod_ssl (nor any kind of SSL), so it is not subject to the compromise described in this advisory. But crawler requests can match two of the listed symptoms of the Apache/mod_ssl worm: Probing -- Scanning on 80/tcp Propagation -- Connections to 443/tcp The crawler does not use port 2002 nor UDP. Port 80 access or HTTPS handshake errors from an Inktomi web crawler do not represent an attack on your web server. Inktomi crawler systems have hostnames of the form j[1-9][0-9][0-9][0-9].inktomisearch.com si[1-9][0-9][0-9][0-9].inktomisearch.com The IP addresses of Inktomi crawler hosts will reverse-DNS resolve to a name of this form.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The advisory mentioned in the statement above refers to CERT® Advisory CA-2002-27 Apache/mod_ssl Worm. It had initially misidentified early reports of log entries containing "GET /mod_ssl:error:HTTP-request HTTP/1.0" as potential signs of infection with the Apache/mod_ssk "Slapper" Worm.

Juniper Networks Affected

Updated:  August 16, 2002

Status

Affected

Vendor Statement

Juniper has determined that our JUNOS Internet software (on M- and T-series routers) and the software running on our SDX and SSC products are potentially susceptible to the security vulnerabilities in OpenSSL. Corrected software images will be available for customer download shortly. Software for our G10 CMTS product and our ERX products is unaffected by these vulnerabilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Development Corporation Not Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Not Affected

Vendor Statement

Lotus products do not use OpenSSL or an SSLeay library, so they are not vulnerable. We further analyzed our SSL implementation for the issues reported in the advisory and determined that our products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Affected

Updated:  September 23, 2002

Status

Affected

Vendor Statement

Mandrake Linux update advisory MDKSA-2002:046-1 fixes all of these issues in OpenSSL. Please see http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-046-1.php

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Not Affected

Updated:  September 26, 2002

Status

Not Affected

Vendor Statement

Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NCSA Unknown

Notified:  July 30, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  July 29, 2002 Updated: September 23, 2002

Status

Affected

Vendor Statement

Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-009 (updated 2002/9/22) Topic: Multiple vulnerabilities in OpenSSL code Version: NetBSD-current: source prior to August 10, 2002 NetBSD-1.6 beta: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected NetBSD-1.4.*: not applicable pkgsrc: prior to openssl-0.9.6f Severity: Potential for remote root exploit Fixed: NetBSD-current: August 10, 2002 NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix) NetBSD-1.5 branch: August 31, 2002 pkgsrc: openssl-0.9.6f (or later) NOTE: previous advisory had fixed dates prior to August 10. There were errors found in the vendor-supplied fix, therefore the fixed dates were modified. Sorry for the confusion and thanks for the patience. NOTE: previous revision of advisory suggested that 1.5 branch was fixed on August 1, however the fix was found to be insufficient. Therefore, users of 1.5 should apply the fix presented in this revised advisory. Sorry for the confusion and thanks for the patience. NOTE: previous revision of advisory suggested that 1.5 branch can be fixed by rebuilding part of the source code tree (shared library). However, it was incorrect. Follow the instruction below and perform a full build. Sorry for the confusion and thanks for the patience. Abstract There are multiple vulnerabilities found in openssl 0.9.6e and prior releases. There are four remotely-exploitable buffer overruns in SSL2/3 code. The ASN1 parser can be confused by invalid encodings (SSL/TLS code affected). None of these services are enabled by default in NetBSD, however, by enabling services built with these libraries, a system would become vulnerable. - From the OpenSSL advisory: "Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable." After the above advisory was published, - 0.9.6e was found to be vulnerable, and 0.9.6f was released. - 0.9.6f had some build framework errors, and 0.9.6g was released. The NetBSD fix includes OpenSSL 0.9.6g. Technical Details http://www.openssl.org/news/secadv_20020730.txt http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php Solutions and Workarounds The recent NetBSD 1.6 release is not vulnerable to this issue. A full upgrade to NetBSD 1.6 is the recommended resolution for all users able to do so. Many security-related improvements have been made, and indeed this release has been delayed several times in order to include fixes for a number of recent issues. The following instructions describe how to upgrade your libcrypto/libssl binaries by updating your source tree and rebuilding and installing a new version of libcrypto/libssl. Be sure to restart running instances of programs that use crypto libraries (like sshd) after upgrading shared libraries. If you have any statically-linked binaries that linked against a vulnerable libcrypto and/or libssl, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \ lib/libcrypto lib/libssl # make includes # cd lib/libcrypto # make cleandir dependall # make install # cd ../../lib/libssl # make cleandir dependall # make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used. The following directories need to be updated from the netbsd-1-6 CVS branch: crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \ crypto/dist/openssl lib/libcrypto lib/libssl # make includes # cd lib/libcrypto # make cleandir dependall # make install # cd ../../lib/libssl # make cleandir dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5.x dated from before 2002-08-31 should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later. The following directories need to be updated from the netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl large number of shared libraries has to be rebuilt: crypto/Makefile.openssl crypto/dist/openssl lib/libasn1 lib/libcom_err lib/libcrypto lib/libgssapi lib/libhdb lib/libkadm lib/libkadm5clnt lib/libkadm5srv lib/libkafs lib/libkdb lib/libkrb lib/libkrb5 lib/libkstream lib/libroken lib/libsl lib/libss lib/libtelnet usr.bin/openssl All userland tools that use openssl needs to be rebuilt, due to the shlib major bump. Therefore, full rebuild is suggested. Make sure to rebuild all binaries installed by pkgsrc as well. To update from CVS, re-build, and re-install libcrypto and libssl: # cd src # cvs update -d -P -r netbsd-1-5 # make build * NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3: OpenSSL was not included in the base system in NetBSD-1.4.* Follow the directions for pkgsrc if you have installed it from pkgsrc. * pkgsrc: openssl (pkgsrc/security/openssl) prior to 0.9.6f are vulnerable. Upgrade to openssl-0.9.6f or later; pkgsrc currently contains 0.9.6g at time of this writing. Packages which require openssl can be found by running 'pkg_info openssl'. Depending on the method you choose to update pkgsrc packages, a rebuild of the packages on that list may be performed for you by the package system. If you update using the experimental 'make replace' target, you will need to manually update any packages which build static binaries with libssl.a and libcrypto.a If you have statically linked binaries in pkgsrc, they have to be rebuilt. Statically linked binaries can be identified by the following command (note: be sure to include the directory you install pkgsrc binaries to, if you've changed LOCALBASE from the default of /usr/pkg) file /usr/pkg/{bin,sbin,libexec} | grep static Thanks To A.L. Digital Ltd and John McDonald of Neohapsis. Adi Stav and James Yonan. CERT and the OpenSSL team. Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD source tree, and preparing the initial advisory text. The NetBSD Release Engineering teams, for great patience and assistance in dealing with repeated security issues discovered recently. Revision History 2002-08-01 Initial release based on 0.9.6e 2002-08-11 based on 0.9.6f 2002-08-31 1.5 pullup done, 0.9.6g 2002-09-16 Re-release with updated information More Information An up-to-date PGP signed copy of this release will be maintained at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-009.txt,v 1.39 2002/09/23 01:57:19 itojun Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPY51AD5Ru2/4N2IFAQEjJQP9GumaWgktTcobgsO+3Iq+x0Adg/fTMZ4r hUPQNT1wTAFep9iSGJz+f8G4CvJjvbzplHhvcjPL14zbs+8U/cZhjeeLibJKgoCt 7Hwu9QLq12x0VlUoj0G1HJSQFKBO/+zFvCSxF1M/+pldOv6mfoEHygBM/xoRPHUI z5G1Uv/irT8= =ELua -----END PGP SIGNATURE-----

OpenLDAP Affected

Notified:  July 30, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Rebuilding OpenLDAP with updated versions of OpenSSL should adequately address reported issues. Those using packaged versions of OpenLDAP should contact the package distributor for update information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenPKG Affected

Updated:  August 09, 2002

Status

Affected

Vendor Statement

See http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.008 30-Jul-2002 Package: openssl Vulnerability: denial of service / remote root exploit OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG CURRENT Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e Dependent Packages: apache apache curl bind fetchmail cadaver imapd cpu inn curl links dsniff lynx exim mutt fetchmail openldap imapd openssh inn perl-ssl links postfix lynx postgresql mutt qpopper neon samba openldap sasl openssh scanssh openvpn sendmail perl-ssl siege postfix sitecopy postgresql snmp qpopper stunnel rdesktop tcpdump samba w3m sasl scanssh sendmail siege sitecopy snmp stunnel sysmon tcpdump w3m Description: According to an official security advisory from the OpenSSL team, there are four remotely exploitable buffer overflows that affect various OpenSSL client and server implementations [5]. There are also parsing problems in the ASN.1 library used by OpenSSL. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and CAN-2002-0659 [9] to the problems. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create a denial of service. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution). Additionally, you have to rebuild and reinstall all dependent OpenPKG packages, too. [2] Solution: Select the updated source RPM appropriate for your OpenPKG release [4], fetch it from the OpenPKG FTP service [3] or a mirror location, verify its integrity [1], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [2]. For the latest OpenPKG 1.0 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.0/UPD ftp> get openssl-0.9.6b-1.0.1.src.rpm ftp> bye $ /bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm $ /bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm $ su - # /bin/rpm -Fvh /RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm Now proceed and rebuild and reinstall all dependent OpenPKG packages, too (see list above). References: [1] http://www.openpkg.org/security.html#signature [2] http://www.openpkg.org/tutorial.html#regular-source [3] ftp://ftp.openpkg.org/release/1.0/UPD/ [4] ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm [5] http://www.openssl.org/news/secadv_20020730.txt [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 [9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH 4xsAoKTteo/qotFgoki3JYpuGufyp4vL =k9ol -----END PGP SIGNATURE-----

OpenSSL Affected

Notified:  July 22, 2002 Updated: July 30, 2002

Status

Affected

Vendor Statement

Please see http://www.openssl.org/news/secadv_20020730.txt.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Oracle Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Please see http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Oracle Security Alert #37 Dated: 1 August, 2002 Updated: 5 August, 2002 OpenSSL Security Vulnerability Products affected: Oracle HTTP Server (OHS) shipped with the database up to and including version 9.2.0. Oracle9iAS versions earlier than 9.0.2, including all versions 1.0.2.x. CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1, 3.1.2, and 3.3 on Windows 98, NT, 2K, XP. Description: There are remotely exploitable buffer overflow vulnerabilities in OpenSSL versions prior to 0.9.6e. These vulnerabilities may allow a remote attacker to execute arbitrary code or perform a denial-of-service (DoS) attack. These problems are described in the OpenSSL Security Advisory [30 July 2002]: [25] http://www.openssl.org/news/secadv_20020730.txt These problems are also described in CERT Advisory CA-2002-23: [26] http://www.cert.org/advisories/CA-2002-23.html Workarounds: There are no workarounds against the potential denial-of-service attack. Disabling SSL should prevent remote execution of code. Users of Corporate Time Outlook Connector can disable TLS by adding the following section to the CTOC.INI file: [CTOC] allow-tls=FALSE NOTE: Disabling SSL or TLS will result in data being transmitted in the clear (i.e. unencrypted), including passwords when using Basic Authentication. Patch Information: Patches will be made available on MetaLink for Patch 2492925 as scheduled in the following table: Product Download Release Solaris NT HPUX Linux AIX TRU64 iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02 08/15/02 iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02 08/09/02 iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02 08/12/02 iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02 08/14/02 RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02 RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02 08/13/02 08/13/02 RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02 08/16/02 08/16/02 Upgrade Information: New releases of the Corporate Time Outlook Connector will address this vulnerability. The following releases are scheduled to be released around 16 August, 2002: 1. CorporateTime Outlook Connector 3.3.1 2. Oracle Outlook Connector 3.4 Copyright © 2002, Oracle Corporation. All rights reserved. [27] Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy Statement References 25. http://www.openssl.org/news/secadv_20020730.txt 26. http://www.cert.org/advisories/CA-2002-23.html 27. http://otn.oracle.com/contact 28. http://www.oracle.com/html/index.html?copyright.html 29. http://www.oracle.com/html/index.html?privacy.html

Red Hat Inc. Affected

Notified:  July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Red Hat distributes affected versions of OpenSSL in all Red Hat Linux distributions as well as the Stronghold web server. Red Hat Linux errata packages that fix the above vulnerabilities (CAN-2002-0655 and CAN-2002-0656) are available from the URL below. Users of the Red Hat Network are able to update their systems using the 'up2date' tool. A future update will fix the potential remote DOS in the ASN.1 encoding (CAN-2002-0659). http://rhn.redhat.com/errata/RHSA-2002-155.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RSA Security Affected

Updated:  September 13, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://www.rsasecurity.com/products/bsafe/bulletins/BSAFE_SSL_Products_Security_Bulletin_Aug_8_2002.pdf

Secure Computing Corporation Affected

Updated:  September 30, 2002

Status

Affected

Vendor Statement

In response to the CERT Advisory CA-2002-23, Secure Computing has posted a software patch for all users of the SafeWord PremierAccess version 3.1 authentication system. All existing and new customers are advised to download and apply PremierAccess Patch 1. Patch 1(3.1.0.01) is available for immediate web download at http://www.securecomputing.com/index.cfm?skey=1109

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Affected

Updated:  September 23, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: openssl/Slapper worm Announcement-ID: SuSE-SA:2002:033 Date: Thu Sep 19 2002 Affected products: 7.0, 7.1, 7.2, 7.3, 8.0 SuSE Linux Database Server, SuSE eMail Server III, SuSE eMail Server 3.1, SuSE Linux Enterprise Server, SuSE Linux Firewall on CD, SuSE Linux Enterprise Server 7 SuSE Linux Office Server Vulnerability Type: buffer overflow Severity (1-10): 9 SuSE default package: yes Cross References: CVE CAN-2002-0655, CAN-2002-0656, CAN-2002-0659, SuSE-SA:2002:027 Content of this advisory: 1) vulnerabilities in openssl libraries; Slapper worm 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information This advisory is issued in an attempt to clarify any issues surrounding the recently discovered Apache/mod_ssl worm. On July 30, we released a security advisory concerning vulnerabilities in OpenSSL, including a buffer overflow in the SSL code. This vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory http://www.cert.org/advisories/CA-2002-23.html) is currently being exploited by a worm called Slapper, propagating through Apache's mod_ssl module. It is worth noting that even though the worm infects Apache through mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in the OpenSSL library used by mod_ssl. This also means that Apache may not be the only service vulnerable to an attack via the SSL bug. Similar exploits may be possible against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled services. As a workaround, it is also possible to disable SSLv2 in mod_ssl (as described in our previous advisory SuSE-SA:2002:027; http://www.suse.com/de/security/2002_027_openssl.html), but you should be aware that this does not protect other SSL based servers that may be running on your machine. We have received numerous inquiries from SuSE users on whether the update packages provided by SuSE as part of SA:2002:027 fix this bug even though they do not contain the latest OpenSSL version recommended in various advisories. To clarify this, we would like to state that these packages DO FIX the bug exploited by the Slapper worm. Following established policy, we did this by applying a source code patch instead of upgrading to a newer version, because the latter usually causes serious problems for many users (in particular, different versions of OpenSSL libraries are not always API compatible). However, it turns out that a number of packages were statically linked against OpenSSL libraries: mod_ssl (SuSE Linux 7.0): We have released rebuilt mod_ssl packages linked against the most recent OpenSSL libraries. If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl, too. sendmail-tls (SuSE Linux 7.1, 7.2, 7.3): Sendmail-tls, the SSL enabled version of sendmail, was linked statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security impact of this problem is probably the same as with Apache and mod_ssl. We are releasing rebuilt packages linked against the most OpenSSL libraries. Sendmail-tls is not part of the default installation profile. If you are using sendmail-tls, we strongly recommend you upgrade to the latest packages provided on our FTP servers. openssh (SuSE Linux 7.1, 7.2 and 7.3): Ssh and sshd do not use any SSL functionality, and thus are not susceptible to the type of attack carried out by the Slapper worm. To date, we are not aware of any way to exploit them. We nevertheless recommend to upgrade to the latest versions provided on our FTP site. freeswan (SuSE Linux 7.1, 7.2): FreeSWAN includes a utility named fswcert for creating and manipulating X.509 certificates, which is also linked statically against libcrypto. To date, we are not aware of any way to exploit them. We nevertheless recommend to upgrade to the latest versions provided on our FTP site as soon as they become available (2002 Sep 20). 2) Pending vulnerabilities in SuSE Distributions and Workarounds: mod_php4: we are preparing an update of mod_php4 addressing various vulnerabilities that have been published recently. 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. SuSE's security contact is or . The public key is listed below. The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the cleartext signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQEUAwUBPYrQdney5gA9JdPZAQEx+wf1GPGG2o1vDa1V/jqaL6typ0jNlq1Rb8nG lcI3Dp5V3lKBCOmMkRLdBE6+FNCRaEi6dN001WzJFsAMt4QjxW3Zk3ix8vRwPdgw 1jVSJkh+7yKQttMki7ff2SmmEbVBg+kmnVKq0GRQoOJlVN7L7RdzyjdMyYwnqxRG T37bZMwgl+76qkZWuVNKwukRYkopb6PT5nszVjSFwcX69yTu+tO5Y0INyHi6dWXY b8nxN24Lg0DSTgH85bG8fW1Ad02o9Iv7RPS6W1Geu+yq8TgxES9oCZatltU6r4yX F2AjkRMipCagdHc+aMSCtnoFC3Yes/vySJUE80iTbCy9dno5eJ/a =pVWJ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Trustix Affected

Updated:  August 09, 2002

Status

Affected

Vendor Statement

See http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt, and "Addition to Trustix Secure Linux Bugfix Advisory #2002-0063" below.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trustix Secure Linux Security Advisory #2002-0063 Package name: openssl Summary: Multiple security problems Date: 2002-07-29 Affected versions: TSL 1.1, 1.2, 1.5 Problem description: Several severe security problems have been found in the openssl source code which upon the TSL openssl packages are based. Most of these vulnerabilities have a potential for remote expoitation, even though no exploits are currently released. The upstream development group have provided us with patches that fixes the problems. These issues have been asigned the following CVE names: CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659. More information: Action: We recommend that all systems with this package installed are upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All TSL updates are available from Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Get SWUP from: Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at Questions? Check out our mailing lists: Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at and or directly at MD5sums of the packages: 0c51861ce4432c3f669657e2c4971c6f ./1.5/SRPMS/openssl-0.9.6-10tr.src.rpm eb8a64dba138584b8085aec8d9ccaf0c ./1.5/RPMS/openssl-support-0.9.6-10tr.i586.rpm 9db293f035fbd82a3482ab87d3465eb2 ./1.5/RPMS/openssl-python-0.9.6-10tr.i586.rpm 582d08bb63676a33da1aa89a33a05914 ./1.5/RPMS/openssl-devel-0.9.6-10tr.i586.rpm 2d05569684b868cbacca9e389ded3f0f ./1.5/RPMS/openssl-0.9.6-10tr.i586.rpm 96053f774317702af40705697a2460d4 ./1.2/SRPMS/openssl-0.9.6-3tr.src.rpm 84b50e02167b61a9d3093bcc055c7b45 ./1.2/RPMS/openssl-devel-0.9.6-3tr.i586.rpm b0c3b99917e1c69f593a74b9989a33f9 ./1.2/RPMS/openssl-0.9.6-3tr.i586.rpm 96053f774317702af40705697a2460d4 ./1.1/SRPMS/openssl-0.9.6-3tr.src.rpm 111d6f3e42c2410a11ac4704036a31ef ./1.1/RPMS/openssl-devel-0.9.6-3tr.i586.rpm 23d4bef487e86dfff1854f3f3c6fd867 ./1.1/RPMS/openssl-0.9.6-3tr.i586.rpm Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9RSsqwRTcg4BxxS0RAgv0AJsGLRMNaZ2pmZdE4NRQCLgfRpNLygCdHfkE 3bFFVLoH4NXOBs+mT/i8T4E= =Ydxh -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Addition to Trustix Secure Linux Bugfix Advisory #2002-0063 Package name: openssl Summary: Restart services Date: 2002-08-01 Affected versions: TSL 1.1, 1.2, 1.5 Problem description: I really hope all of you have updated the openssl package. Most of you know this already, and I'm sorry I didn't include this in the openssl advisory earlier this week. But here it goes: Since openssl is a shared library, all services linked against this library must be restarted for the changes to take affect. The list of services is long and includes (but are not limited to): httpd (mod_php4 is linked against libssl) httpsd simap pop3s postfix postgresql smb (maybe also winbind) sshd Action: We recommend that all services that are linked against openssl are restarted. Get SWUP from: Questions? Check out our mailing lists: Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9SQ9hwRTcg4BxxS0RAvABAJ4jrAH8CyFLWpcGguZElQgdL88tmgCfXv2Z AorvR78koxCwr7qGSPbZX+A= =WAGZ -----END PGP SIGNATURE-----

View all 25 vendors View less vendors