Notified: July 30, 2002 Updated: August 09, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 09, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 09, 2002
Affected
The vulnerabilities described in this note are fixed with Security Update 2002-08-02.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: August 09, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 09, 2002
Affected
Please see http://www.debian.org/security/2002/dsa-136
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- Debian Security Advisory DSA-136-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
July 30, 2002 Package : openssl
Problem type : multiple remote exploits
Debian-specific: no
CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and
openssl_0.9.6c-2.woody.0. These vulnerabilities are also present in Debian 2.2 (potato), but no
fix is available at this moment. We recommend you upgrade your OpenSSL as soon as possible. Note that you
should restart any daemons running SSL. (E.g., ssh or ssl-enabled
apache.) Obtaining updates: By hand: wget URL
will fetch the file for you. dpkg -i FILENAME.deb
will install the fetched file. With apt: deb http://security.debian.org/ stable/updates main
added to /etc/apt/sources.list will provide security updates Additional information can be found on the Debian security webpages
at http://www.debian.org/security/ Debian 3.0 (stable) Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel
, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.dsc
Size/MD5 checksum: 782 de4c7b85648c7953dc31d3a89c38681c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.diff.gz
Size/MD5 checksum: 42270 e9fbf71f583f1727222eddb8f023472a
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.dsc
Size/MD5 checksum: 781 534406f61e0229e92f506e9bc92fdaf1
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.diff.gz
Size/MD5 checksum: 45542 f4683a2fb7adc0fef97a31ac141e3acd
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.diff.gz
Size/MD5 checksum: 38251 ee919ba698cbbfebcf922b19e05bbfeb
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.dsc
Size/MD5 checksum: 731 370bd2a3bb4bd957c571b7e0e51837ce
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4 Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.0_all.deb
Size/MD5 checksum: 978 550d56ffa53e3e8ef26087b1fef5a1c5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 735692 786b81d45374fa91a204a578d09dea6b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 1550722 ac0d245d8d2e744d688c2778382513da
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_alpha.deb
Size/MD5 checksum: 570630 c46d9dcac74f3766a48d8fe36d8dcb05 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 741398 9a081e5359cdf46e56a1854bcbff7af3
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 1434262 b9014a44cbefabce2c446b5b7be640f9
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_hppa.deb
Size/MD5 checksum: 564284 be33bde9b00138d7ab6639daf9dc4cfe i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 731384 101d86cf6e2e274e5a811a38f5956b2d
http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.0_i386.deb
Size/MD5 checksum: 357908 49dd8e2dc866b9bd7639c5e7576e7519
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 462026 859c8e6439943d597db12d47ec1ee496
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_i386.deb
Size/MD5 checksum: 1293384 3e605b6e1abc0b0f40c6ec3ddf2b9419
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.0_i386.deb
Size/MD5 checksum: 400048 7495feff7cbcae0f816641b8d7537ad1 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 1614810 48c24d1b8c221e51a1e6f789b2621b40
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 763034 13e3e71cc06198e6a481d958854a1f78
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_ia64.deb
Size/MD5 checksum: 710254 792b4575a78dafac7f99919d9c5a9f78 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 717276 4a2d38551b10dc1316bd3479d044261b
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 482968 f37975dfb58f53950e98e8adce007cd9
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mips.deb
Size/MD5 checksum: 1415580 e87350a24e7d0bc4558cc09711246eab mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 1409480 70e26b6de02b0749e9d30fb4e8d0bbc3
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 475990 1f96c9c2528316857598262b40a9b9ca
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mipsel.deb
Size/MD5 checksum: 716482 a89cfa547f585e6858593506ed9b2257 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 501824 bfca4d6a8e3b348abb8ed97453349752
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 726122 9db6440fb0765c1360a7c09dec78f404
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_powerpc.deb
Size/MD5 checksum: 1386244 06a403323563b590311b1297e4f63a5d s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 730124 6585907e414d4508a66460649de0c701
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 1310886 d6e233ab6d3f1ebe4fd9b479713ee662
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb
Size/MD5 checksum: 495844 afb314f4d0113175d27435485ba2de07 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 736604 ebd2b62518e0602fbf1027686c0eb5e5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 484136 e26006714e97d77159f2d0773e00e636
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_sparc.deb
Size/MD5 checksum: 1343554 76c3efda7e4a3470c5276cefa63a2448 Debian Security team
Updated: August 09, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
GENTOO LINUX SECURITY ANNOUNCEMENT PACKAGE :openssl SUMMARY :denial of service / remote root exploit DATE :2002-07-30 16:15:00 OVERVIEW Multiple potentially remotely exploitable vulnerabilities has been found in OpenSSL. DETAIL 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The full advisory can be read at http://www.openssl.org/news/secadv_20020730.txt SOLUTION It is recommended that all Gentoo Linux users update their systems as follows. emerge --clean rsync emerge openssl emerge clean After the installation of the updated OpenSSL you should restart the services that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well. Also, if you have an application that is statically linked to openssl you will need to reemerge that application to build it against the new OpenSSL. Daniel Ahlberg aliz@gentoo.org
Notified: July 29, 2002 Updated: August 09, 2002
Affected
See http://www.linuxsecurity.com/advisories/other_advisory-1338.html.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 | EnGarde Secure Linux Security Advisory July 30, 2002 |
| http://www.engardelinux.org/ ESA-20020730-019 | | Packages: openssl, openssl-misc |
| Summary: several vulnerabilities in the openssl library. EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools. OVERVIEW There are several potentially exploitable vulnerabilities in the OpenSSL
toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd
and The Bunker (http://www.thebunker.net/) under the DARPA program
CHATS. Through this review, the following vulnerabilities were
discovered: 1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (http://www.neohapsis.com/) who have
also demonstrated that the vulnerability is exploitable. 2. The session ID supplied to a client in SSL3 could be oversized and
overrun a buffer. 3. Various buffers for ASCII representations of integers were too
small on 64 bit platforms. 4. The ASN1 parser can be confused by supplying it with certain
invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3,
and CAN-2002-0659 to issue 4. SOLUTION Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically. EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or
b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh files You must now update the LIDS configuration by executing the command: # /usr/sbin/config_lids.pl To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signatures of the updated packages, execute the command: # rpm -Kv files UPDATED PACKAGES These updated packages are for EnGarde Secure Linux Community
Edition. Source Packages: SRPMS/openssl-0.9.6-1.0.16.src.rpm
MD5 Sum: 158ff68fb5474993694d1dd3f623b921 Binary Packages: i386/openssl-0.9.6-1.0.16.i386.rpm
MD5 Sum: 9f7bd4009f352a3a3a3519c97ebe988d i386/openssl-misc-0.9.6-1.0.16.i386.rpm
MD5 Sum: 281794e60d923df695f6bcf8aa17055b i386/openssl-devel-0.9.6-1.0.16.i386.rpm
MD5 Sum: 18b3ecd6b9d210180457caeb50a1331e i686/openssl-0.9.6-1.0.16.i686.rpm
MD5 Sum: 872eadde6cb52bcf93fae967c72949b1 i686/openssl-misc-0.9.6-1.0.16.i686.rpm
MD5 Sum: 3baf870cbc35f3425cbd3110714ca3ed i686/openssl-devel-0.9.6-1.0.16.i686.rpm
MD5 Sum: 718f5a6c89fac22f338177134fd5e6bd REFERENCES Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY OpenSSL's Official Web Site: http://www.openssl.org/ Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html $Id: ESA-20020730-019-openssl,v 1.2 2002/07/30 12:05:04 rwm Exp $ Author: Ryan W. Maple
Notified: July 29, 2002 Updated: August 09, 2002
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
HP Support Information Digests o Security Bulletin Digest Split The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions. To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login
using your IT Resource Center User ID and Password. Under the notifications section (near the bottom of the page), select
Support Information Digests. To subscribe or unsubscribe to a specific security bulletin digest,
select or unselect the checkbox beside it. Then click the
"Update Subscriptions" button at the bottom of the page. o IT Resource Center World Wide Web Service If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at: http://www.itresourcecenter.hp.com/ Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under
Maintenance and Support). You may then unsubscribe from the
appropriate digest. Digest Name: daily HP Secure OS Software for Linux security bulletins digest
Created: Wed Aug 7 3:00:03 PDT 2002 Table of Contents: Document ID Title HPSBTL0207-055 Security vulnerability in openssl (ref. 1) The documents are listed below. Document ID: HPSBTL0207-055
Date Loaded: 20020730
Title: Security vulnerability in openssl (ref. 1) TEXT HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBTL0207-055
Originally issued: 30 July '02
** Rev. 1 ** 06 August '02 The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible. Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company. PROBLEM: Updated OpenSSL packages fix several vulnerabilities PLATFORM: Any system running HP Secure OS Software for Linux Release 1.0 DAMAGE: Potential for remotely exploitable buffer overflow SOLUTION: Apply the appropriate RPMs (see section B below) MANUAL ACTIONS: None AVAILABILITY: The RPMs are available now. CHANGE SUMMARY: Rev. 1 Updated OpenSSL packages are available
(RHSA-2002:160) A. Background OpenSSL is a commercial-grade, full-featured, and Open Source
toolkit which implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library. A security
audit of the OpenSSL code sponsored by DARPA found several
buffer overflows in OpenSSL which affect versions 0.9.7 and
0.9.6d and earlier. ** Rev. 1 **
>>> Additional OpenSSL security vulnerabilities were found,
corrected and updated in the RPM packages previously made available
under Red Hat Security Advisory number RHSA-2002:155. B. Fixing the problem Hewlett-Packard Company recommends that customers install the RPMs
listed in the following Red Hat Security Advisory in the section
labeled "Red Hat Linux 7.1 i386". ** Rev. 1 **
>>> 2002-08-05 RHSA-2002:160 Updated openssl packages fix protocol
parsing bugs >>> http://rhn.redhat.com/errata/RHSA-2002-160.html To install the security bulletin RPMs, use the following sequence
of commands: 1. If you use the tripwire product, we recommend that you run a
a consistency check and fix any violations before installing
the security bulletin RPM. tripwire --check --interactive 2. Install the bulletin RPM from the root account. rpm -F
Notified: July 29, 2002 Updated: August 09, 2002
Affected
IBM's AIX operating system does not ship with OpenSSL; however, OpenSSL is available for installation on AIX via the Linux Affinity Toolkit. The version included on the Toolkit CD is vulnerable to the issues discussed here as will as the version of OpenSSL available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to upgrade to the new version available from the website. This will be available within the next few days and can be downloaded from http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications using cryptographic algorithms. New users to this site are asked to register first.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 16, 2002
Affected
Juniper has determined that our JUNOS Internet software (on M- and T-series routers) and the software running on our SDX and SSC products are potentially susceptible to the security vulnerabilities in OpenSSL. Corrected software images will be available for customer download shortly. Software for our G10 CMTS product and our ERX products is unaffected by these vulnerabilities.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 09, 2002
Not Affected
Lotus products do not use OpenSSL or an SSLeay library, so they are not vulnerable. We further analyzed our SSL implementation for the issues reported in the advisory and determined that our products are not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 23, 2002
Affected
Mandrake Linux update advisory MDKSA-2002:046-1 fixes all of these issues in OpenSSL. Please see http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-046-1.php
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 26, 2002
Not Affected
Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 30, 2002 Updated: August 09, 2002
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: September 23, 2002
Affected
Please see ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-009 (updated 2002/9/22) Topic: Multiple vulnerabilities in OpenSSL code Version: NetBSD-current: source prior to August 10, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not applicable
pkgsrc: prior to openssl-0.9.6f Severity: Potential for remote root exploit Fixed: NetBSD-current: August 10, 2002
NetBSD-1.6 branch: August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch: August 31, 2002
pkgsrc: openssl-0.9.6f (or later) NOTE: previous advisory had fixed dates prior to August 10. There were errors found in the vendor-supplied fix, therefore
the fixed dates were modified. Sorry for the confusion and
thanks for the patience. NOTE: previous revision of advisory suggested that 1.5 branch
was fixed on August 1, however the fix was found to be
insufficient. Therefore, users of 1.5 should apply the fix
presented in this revised advisory. Sorry for the confusion
and thanks for the patience. NOTE: previous revision of advisory suggested that 1.5 branch
can be fixed by rebuilding part of the source code tree (shared
library). However, it was incorrect. Follow the instruction below
and perform a full build. Sorry for the confusion and thanks for
the patience. Abstract There are multiple vulnerabilities found in openssl 0.9.6e and prior
releases. There are four remotely-exploitable buffer overruns in SSL2/3
code. The ASN1 parser can be confused by invalid encodings (SSL/TLS
code affected). None of these services are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system would become
vulnerable. - From the OpenSSL advisory: "Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable." After the above advisory was published,
- 0.9.6e was found to be vulnerable, and 0.9.6f was released. - 0.9.6f had some build framework errors, and 0.9.6g was released. The NetBSD fix includes OpenSSL 0.9.6g. Technical Details http://www.openssl.org/news/secadv_20020730.txt
http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php Solutions and Workarounds The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues. The following instructions describe how to upgrade your libcrypto/libssl
binaries by updating your source tree and rebuilding and
installing a new version of libcrypto/libssl. Be sure to restart running instances of programs that use crypto libraries
(like sshd) after upgrading shared libraries. If you have any statically-linked binaries that linked against a
vulnerable libcrypto and/or libssl, you need to recompile them. * NetBSD-current: Systems running NetBSD-current dated from before 2002-08-10
should be upgraded to NetBSD-current dated 2002-08-10 or later. The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD): crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src
# cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \
lib/libcrypto lib/libssl # make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install * NetBSD 1.6 beta: Systems running NetBSD 1.6 BETAs and Release Candidates should
be upgraded to the NetBSD 1.6 release. If a source-based point upgrade is required, sources from the
NetBSD 1.6 branch dated 2002-08-11 or later should be used. The following directories need to be updated from the
netbsd-1-6 CVS branch: crypto/Makefile.openssl
crypto/dist/openssl
lib/libcrypto
lib/libssl To update from CVS, re-build, and re-install libcrypto and libssl: # cd src
# cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \
crypto/dist/openssl lib/libcrypto lib/libssl # make includes
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD-1.5.x dated from before 2002-08-31
should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later. The following directories need to be updated from the
netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl
large number of shared libraries has to be rebuilt: crypto/Makefile.openssl
crypto/dist/openssl
lib/libasn1
lib/libcom_err
lib/libcrypto
lib/libgssapi
lib/libhdb
lib/libkadm
lib/libkadm5clnt
lib/libkadm5srv
lib/libkafs
lib/libkdb
lib/libkrb
lib/libkrb5
lib/libkstream
lib/libroken
lib/libsl
lib/libss
lib/libtelnet
usr.bin/openssl All userland tools that use openssl needs to be rebuilt, due to the
shlib major bump. Therefore, full rebuild is suggested. Make sure to
rebuild all binaries installed by pkgsrc as well. To update from CVS, re-build, and re-install libcrypto and libssl: # cd src
# cvs update -d -P -r netbsd-1-5
Notified: July 30, 2002 Updated: August 09, 2002
Affected
Rebuilding OpenLDAP with updated versions of OpenSSL should adequately address reported issues. Those using packaged versions of OpenLDAP should contact the package distributor for update information.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 09, 2002
Affected
See http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.008 30-Jul-2002 Package: openssl
Vulnerability: denial of service / remote root exploit
OpenPKG Specific: no Affected Releases: OpenPKG 1.0 OpenPKG CURRENT
Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d
Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e
Dependent Packages: apache apache
curl bind
fetchmail cadaver
imapd cpu
inn curl
links dsniff
lynx exim
mutt fetchmail
openldap imapd
openssh inn
perl-ssl links
postfix lynx
postgresql mutt
qpopper neon
samba openldap
sasl openssh
scanssh openvpn
sendmail perl-ssl
siege postfix
sitecopy postgresql
snmp qpopper
stunnel rdesktop
tcpdump samba
w3m sasl
scanssh
sendmail
siege
sitecopy
snmp
stunnel
sysmon
tcpdump
w3m Description: According to an official security advisory from the OpenSSL team,
there are four remotely exploitable buffer overflows that affect
various OpenSSL client and server implementations [5]. There are
also parsing problems in the ASN.1 library used by OpenSSL. The
Common Vulnerabilities and Exposures (CVE) project assigned the
ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
could be used by a remote attacker to execute arbitrary code on the
target system. All could be used to create a denial of service. Please check whether you are affected by running "
Notified: July 22, 2002 Updated: July 30, 2002
Affected
Please see http://www.openssl.org/news/secadv_20020730.txt.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: July 29, 2002 Updated: August 09, 2002
Affected
Please see http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html
The vendor has not provided us with any further information regarding this vulnerability.
Oracle Security Alert #37 Dated: 1 August, 2002 Updated: 5 August, 2002 OpenSSL Security Vulnerability Products affected: Oracle HTTP Server (OHS) shipped with the database up to and including version 9.2.0. Oracle9iAS versions earlier than 9.0.2, including all versions 1.0.2.x. CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1, 3.1.2, and 3.3 on Windows 98, NT, 2K, XP. Description: There are remotely exploitable buffer overflow vulnerabilities in OpenSSL versions prior to 0.9.6e. These vulnerabilities may allow a remote attacker to execute arbitrary code or perform a denial-of-service (DoS) attack. These problems are described in the OpenSSL Security Advisory [30 July 2002]: [25] http://www.openssl.org/news/secadv_20020730.txt These problems are also described in CERT Advisory CA-2002-23: [26] http://www.cert.org/advisories/CA-2002-23.html Workarounds: There are no workarounds against the potential denial-of-service attack. Disabling SSL should prevent remote execution of code. Users of Corporate Time Outlook Connector can disable TLS by adding the following section to the CTOC.INI file: [CTOC] allow-tls=FALSE NOTE: Disabling SSL or TLS will result in data being transmitted in the clear (i.e. unencrypted), including passwords when using Basic Authentication. Patch Information: Patches will be made available on MetaLink for Patch 2492925 as scheduled in the following table: Product Download Release Solaris NT HPUX Linux AIX TRU64 iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02 08/15/02 iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02 08/09/02 iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02 08/12/02 iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02 08/14/02 RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02 RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02 08/13/02 08/13/02 RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02 08/16/02 08/16/02 Upgrade Information: New releases of the Corporate Time Outlook Connector will address this vulnerability. The following releases are scheduled to be released around 16 August, 2002: 1. CorporateTime Outlook Connector 3.3.1 2. Oracle Outlook Connector 3.4 Copyright © 2002, Oracle Corporation. All rights reserved. [27] Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy Statement References 25. http://www.openssl.org/news/secadv_20020730.txt 26. http://www.cert.org/advisories/CA-2002-23.html 27. http://otn.oracle.com/contact 28. http://www.oracle.com/html/index.html?copyright.html 29. http://www.oracle.com/html/index.html?privacy.html
Notified: July 29, 2002 Updated: August 09, 2002
Affected
Red Hat distributes affected versions of OpenSSL in all Red Hat Linux distributions as well as the Stronghold web server. Red Hat Linux errata packages that fix the above vulnerabilities (CAN-2002-0655 and CAN-2002-0656) are available from the URL below. Users of the Red Hat Network are able to update their systems using the 'up2date' tool. A future update will fix the potential remote DOS in the ASN.1 encoding (CAN-2002-0659). http://rhn.redhat.com/errata/RHSA-2002-155.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 30, 2002
Affected
In response to the CERT Advisory CA-2002-23, Secure Computing has posted a software patch for all users of the SafeWord PremierAccess version 3.1 authentication system. All existing and new customers are advised to download and apply PremierAccess Patch 1. Patch 1(3.1.0.01) is available for immediate web download at http://www.securecomputing.com/index.cfm?skey=1109
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: September 23, 2002
Affected
-----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: openssl/Slapper worm
Announcement-ID: SuSE-SA:2002:033
Date: Thu Sep 19 2002
Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
SuSE Linux Database Server,
SuSE eMail Server III,
SuSE eMail Server 3.1,
SuSE Linux Enterprise Server,
SuSE Linux Firewall on CD,
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Vulnerability Type: buffer overflow
Severity (1-10): 9
SuSE default package: yes
Cross References: CVE CAN-2002-0655, CAN-2002-0656,
CAN-2002-0659, SuSE-SA:2002:027 Content of this advisory: 1) vulnerabilities in openssl libraries; Slapper worm
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information This advisory is issued in an attempt to clarify any issues
surrounding the recently discovered Apache/mod_ssl worm. On July 30, we released a security advisory concerning vulnerabilities
in OpenSSL, including a buffer overflow in the SSL code. This
vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory
http://www.cert.org/advisories/CA-2002-23.html) is currently being
exploited by a worm called Slapper, propagating through Apache's
mod_ssl module. It is worth noting that even though the worm infects Apache through
mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
the OpenSSL library used by mod_ssl. This also means that Apache may not be the only service vulnerable
to an attack via the SSL bug. Similar exploits may be possible
against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
services. As a workaround, it is also possible to disable SSLv2 in mod_ssl
(as described in our previous advisory SuSE-SA:2002:027; http://www.suse.com/de/security/2002_027_openssl.html), but you
should be aware that this does not protect other SSL based servers
that may be running on your machine. We have received numerous inquiries from SuSE users on whether the
update packages provided by SuSE as part of SA:2002:027 fix this bug
even though they do not contain the latest OpenSSL version recommended
in various advisories. To clarify this, we would like to state that these packages DO FIX
the bug exploited by the Slapper worm. Following established policy,
we did this by applying a source code patch instead of upgrading to
a newer version, because the latter usually causes serious problems
for many users (in particular, different versions of OpenSSL libraries
are not always API compatible). However, it turns out that a number of packages were statically
linked against OpenSSL libraries: mod_ssl (SuSE Linux 7.0): We have released rebuilt mod_ssl packages linked against the
most recent OpenSSL libraries. If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl,
too. sendmail-tls (SuSE Linux 7.1, 7.2, 7.3): Sendmail-tls, the SSL enabled version of sendmail, was linked
statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security
impact of this problem is probably the same as with Apache and
mod_ssl. We are releasing rebuilt packages linked against the most
OpenSSL libraries. Sendmail-tls is not part of the default installation profile. If you are using sendmail-tls, we strongly recommend you upgrade
to the latest packages provided on our FTP servers. openssh (SuSE Linux 7.1, 7.2 and 7.3): Ssh and sshd do not use any SSL functionality, and thus are not
susceptible to the type of attack carried out by the Slapper worm. To date, we are not aware of any way to exploit them. We nevertheless
recommend to upgrade to the latest versions provided on our FTP site. freeswan (SuSE Linux 7.1, 7.2): FreeSWAN includes a utility named fswcert for creating and
manipulating X.509 certificates, which is also linked statically
against libcrypto. To date, we are not aware of any way to exploit them. We
nevertheless recommend to upgrade to the latest versions provided
on our FTP site as soon as they become available (2002 Sep 20). 2) Pending vulnerabilities in SuSE Distributions and Workarounds: mod_php4: we are preparing an update of mod_php4 addressing various
vulnerabilities that have been published recently. 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command
md5sum
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: August 09, 2002
Affected
See http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt, and "Addition to Trustix Secure Linux Bugfix Advisory #2002-0063" below.
The vendor has not provided us with any further information regarding this vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Trustix Secure Linux Security Advisory #2002-0063 Package name: openssl
Summary: Multiple security problems
Date: 2002-07-29
Affected versions: TSL 1.1, 1.2, 1.5 Problem description: Several severe security problems have been found in the openssl source
code which upon the TSL openssl packages are based. Most of these
vulnerabilities have a potential for remote expoitation, even though no
exploits are currently released. The upstream development group have provided us with patches that fixes
the problems. These issues have been asigned the following CVE names: CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659. More information: