[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030930155822.GC7993@wirex.com>
Date: Tue, 30 Sep 2003 08:58:22 -0700
From: Immunix Security Team <security@...unix.com>
To: bugtraq@...urityfocus.com
Subject: Immunix Secured OS 7+ OpenSSL update
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: openssl
Affected products: Immunix OS 7+
Bugs fixed: CAN-2003-0543 CAN-2003-0544
Date: Mon Sep 29 2003
Advisory ID: IMNX-2003-7+-022-01
Author: Seth Arnold <sarnold@...unix.com>
-----------------------------------------------------------------------
Description:
The UK National Infrastructure Security Co-ordination Centre (NISCC)
has commissioned an audit of OpenSSL, similar to the audit performed
on SNMP by Oulu Security Programming Group. Stephen Henson, of the
OpenSSL core team, has analysed the results and produced a patch to
address the problems found.
NISCC's description of the problem: "An unusual ASN.1 tag value can
cause an out of bounds read under certain circumstances resulting in a
Denial of Service condition. [...] For example, if one of the parties
involved in a TLS/SSL connection sends an ASN.1 element that cannot
be handled properly, the behaviour of the receiving application may be
unpredictable. It has been found that a vulnerability can arise where
one of the parties generates an exceptional ASN.1 element as part of
a client certificate. A Denial of Service may arise in the receiving
application, or there may be an opportunity for further exploitation."
Immunix, Inc., would like to thank Stephen Henson for the patches and
NISCC for preparing the SSL test suite.
References: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
A source package for Immunix 7+ is available at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm
Immunix OS 7+ md5sums:
f3184ccb1a3298a43b899b5b20ea55d1 RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
8d092873585664a9d76083e47d9a695f RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
1e01801d4b964beed7ddce666ef58a65 RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
d432232a745ee43a413122f988bc7fa6 SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm
GPG verification:
Our public keys are available at http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@...unix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol
http://www.wiretrip.net/rfp/policy.html.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists