lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030930155822.GC7993@wirex.com>
Date: Tue, 30 Sep 2003 08:58:22 -0700
From: Immunix Security Team <security@...unix.com>
To: bugtraq@...urityfocus.com
Subject: Immunix Secured OS 7+ OpenSSL update

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	openssl
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0543 CAN-2003-0544
Date:			Mon Sep 29 2003
Advisory ID:		IMNX-2003-7+-022-01
Author:			Seth Arnold <sarnold@...unix.com>
-----------------------------------------------------------------------

Description:
  The UK National Infrastructure Security Co-ordination Centre (NISCC)
  has commissioned an audit of OpenSSL, similar to the audit performed
  on SNMP by Oulu Security Programming Group. Stephen Henson, of the
  OpenSSL core team, has analysed the results and produced a patch to
  address the problems found.

  NISCC's description of the problem: "An unusual ASN.1 tag value can
  cause an out of bounds read under certain circumstances resulting in a
  Denial of Service condition. [...] For example, if one of the parties
  involved in a TLS/SSL connection sends an ASN.1 element that cannot
  be handled properly, the behaviour of the receiving application may be
  unpredictable. It has been found that a vulnerability can arise where
  one of the parties generates an exceptional ASN.1 element as part of
  a client certificate. A Denial of Service may arise in the receiving
  application, or there may be an opportunity for further exploitation."

  Immunix, Inc., would like to thank Stephen Henson for the patches and
  NISCC for preparing the SSL test suite.

  References: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  
  A source package for Immunix 7+ is available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm

Immunix OS 7+ md5sums:
  f3184ccb1a3298a43b899b5b20ea55d1 RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  8d092873585664a9d76083e47d9a695f RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  1e01801d4b964beed7ddce666ef58a65 RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  d432232a745ee43a413122f988bc7fa6 SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@...unix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ