Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


SOT Linux Advisory: openssl

Aug 02, 2002, 15:08 (1 Talkback[s])

[ Thanks to SOT Security Team for this link. ]

---------------------------------------------------------------------
                   SOT Linux Security Advisory

Subject:           Updated openssl package for SOT Linux 2002
Advisory ID:       SLSA-2002:10
Date:              Thursday, August 1, 2002
Product:           SOT Linux 2002
---------------------------------------------------------------------

1. Problem description

All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a
   buffer. This vulnerability was also independently discovered by
   consultants at Neohapsis (http://www.neohapsis.com/) who have also
   demonstrated that the vulerability is exploitable. Exploit code is
   NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
   overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
   overrun a stack-based buffer. This issues only affects OpenSSL
   0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
   small on 64 bit platforms.




2. Updated packages

SOT Linux 2002 Desktop:

i386:
ftp://ftp.sot.com/updates/2002/Desktop/i386/openssl-0.9.6b-15.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Desktop/SRPMS/openssl-0.9.6b-15.src.rpm


SOT Linux 2002 Server:

i386:
ftp://ftp.sot.com/updates/2002/Server/i386/openssl-0.9.6b-15.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Server/SRPMS/openssl-0.9.6b-15.src.rpm


3. Upgrading package

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from
the SOT Linux FTP site (use the links above) or from one of our mirrors.
The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command:
rpm -Uvh 


4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command:
rpm --checksig 

If you wish to verify the integrity of the downloaded package, run
"md5sum " and compare the output with data given below.


Package Name                             MD5 sum
-------------------------------------------------------------------------
/Desktop/i386/openssl-0.9.6b-15.i386.rpm 6bf53f2b4ca2fad4e255f32b0cace61b
/Desktop/SRPMS/openssl-0.9.6b-15.src.rpm 840e78dbefd926964e439ec389b9a0ca
/Server/i386/openssl-0.9.6b-15.i386.rpm  6bf53f2b4ca2fad4e255f32b0cace61b
/Server/SRPMS/openssl-0.9.6b-15.src.rpm  840e78dbefd926964e439ec389b9a0ca

5. References

http://www.openssl.org/news/secadv_20020730.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657

Copyright(c) 2001, 2002 SOT

---------------------------------------------------------------------
You can view other update advisories for SOT Linux 2002 at:
http://www.sot.com/en/linux/sa/
To unsubscribe, visit your account at https://www.sot.com/
---------------------------------------------------------------------