lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20020731111615.R29736@caldera.com>
From: security at caldera.com (security@...dera.com)
Subject: Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl

To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: multiple vulnerabilities in openssl
Advisory number: 	CSSA-2002-033.0
Issue date: 		2002 July 31
Cross reference:
______________________________________________________________________________


1. Problem Description

	There are four remotely exploitable buffer overflows that affect
	various OpenSSL client and server implementations. There are also
	encoding problems in the ASN.1 library used by OpenSSL. Several
	of these vulnerabilities could be used by a remote attacker to
	execute arbitrary code on the target system. All could be used
	to create denial of service.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1 Server		prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1 Workstation	prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/RPMS

	4.2 Packages

	49b6589ee4e3fa4780a279e5dc46604d	openssl-0.9.6-18.i386.rpm
	608246e3b6de6e1f08946915307813a1	openssl-devel-0.9.6-18.i386.rpm
	55c039bf7e2f23805fe4060d72d94974	openssl-devel-static-0.9.6-18.i386.rpm

	4.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/SRPMS

	4.5 Source Packages

	99196cf80db29415ca44ef78733701ca	openssl-0.9.6-18.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/RPMS

	5.2 Packages

	6c83bdbaa0866d48413a6986d44add2b	openssl-0.9.6-18.i386.rpm
	c17adb44ffd8f0f5e8b812904cf58227	openssl-devel-0.9.6-18.i386.rpm
	0f9741b9b1348e4100bbc4c2165983b4	openssl-devel-static-0.9.6-18.i386.rpm

	5.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/SRPMS

	5.5 Source Packages

	7f819da5b612bd24e1f08b3e6ce96c7c	openssl-0.9.6-18.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/RPMS

	6.2 Packages

	db2c63ecd72f9c919d75b80f7bf21416	openssl-0.9.6-18.i386.rpm
	dfacf5e8c7588d19bda6aacbee04455c	openssl-devel-0.9.6-18.i386.rpm
	5caa2e9083c7bd82cf11abb747f92e24	openssl-devel-static-0.9.6-18.i386.rpm

	6.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/SRPMS

	6.5 Source Packages

	209ee703939cf4de47cc2e403e7a7a5f	openssl-0.9.6-18.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/RPMS

	7.2 Packages

	4a71d2544d0b06600abc27bddc4d20f5	openssl-0.9.6-18.i386.rpm
	6a0caf0bfef379791b83aaca484d212d	openssl-devel-0.9.6-18.i386.rpm
	294d134720153d5f4b284653d42cfdb1	openssl-devel-static-0.9.6-18.i386.rpm

	7.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/SRPMS

	7.5 Source Packages

	480806a05bc92716fd17001873c40c9a	openssl-0.9.6-18.src.rpm


8. References

	Specific references for this advisory:
		http://www.openssl.org/news/secadv_20020730.txt
		http://www.cert.org/advisories/CA-2002-23.html

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr867369, fz525695,
	erg501640.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


10. Acknowledgements

	These vulnerabilities were discovered and reported by the
	following: A.L. Digital Ltd, John McDonald of Neohapsis, Adi
	Stav, James Yonan.

______________________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 237 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020731/65540bae/attachment-0001.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ