Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


Mandrake Linux Advisory: openssl

Oct 01, 2003, 15:51 (0 Talkback[s])

Mandrake Linux Security Update Advisory


Package name: openssl
Advisory ID: MDKSA-2003:098
Date: September 30th, 2003
Affected versions: 8.2, 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2

Problem Description:

Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary; in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CAN-2003-0543 and CAN-2003-0544.

Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CAN-2003-0545.

The packages provided have been built with patches provided by the OpenSSL group that resolve these issues.

A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
http://www.kb.cert.org/vuls/id/255484
http://www.kb.cert.org/vuls/id/380864
http://www.kb.cert.org/vuls/id/935264
http://www.openssl.org/news/secadv_20030930.txt
http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm


Updated Packages:

Corporate Server 2.1:
ec80ef980212f5bf294f147e5bc19f76 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
1de4f2038f479b1b779d5b2c9320e8fb corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
4946dc25021ef97eb6513f3dd1dd16f6 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
3d5e3a05ead47fafa59240be9efc87d2 corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
6982c0adf01f00ea5d49deb24011c278 corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Corporate Server 2.1/x86_64:
eab60b3828aeec0e2717890e51a90e76 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm
19d8a676a11293d8e6acb429bed63a99 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm
5eb3936b8fade73ca1c334d67edad3ae x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm
9df6c6e820719ac33744e1708621bdf3 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm
6982c0adf01f00ea5d49deb24011c278 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Mandrake Linux 8.2:
e8d13a3adbd679a0c1cd15dd28eb02f1 8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
4b783a98f4cc48be8a6b680a92f374ce 8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm
0481e5edacc8985d7255266fd136ceba 8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm
93a47ac82a618905c7d4a6e0d276c586 8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
15b7ba1d342ae3531964e60a186874d8 8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm

Mandrake Linux 9.0:
ec80ef980212f5bf294f147e5bc19f76 9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
1de4f2038f479b1b779d5b2c9320e8fb 9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
4946dc25021ef97eb6513f3dd1dd16f6 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
3d5e3a05ead47fafa59240be9efc87d2 9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
6982c0adf01f00ea5d49deb24011c278 9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Mandrake Linux 9.1:
42365cfe8a9214a747bd1fa6329baec8 9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm
a3a5046af719b864a337ce432e694a8b 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm
2e879f9d5349458c5653e97f20cf2218 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm
cf9bc9fc1cce8841d3cdb1d9fcd8b313 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm
b475cc257c14dbaccd9007afa14096f5 9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm
329bd3dd8cdfad6d445b4fbcc953dc91 9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
9498e31ab37a4455f31827ce51afb221 9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
915f8ab4ea91e0d876c9204b1f3699b0 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm
fafb4ac4c88c321d3c8fb7fdba54bac4 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm
184be4bdf922fbc28b590a71b7cf8c10 ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm
09e1bd3c05323d10d8002a44dbbc85dd ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm
cfbcacc68e2585a5fcbbeb8c9fc3b0d7 ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm
329bd3dd8cdfad6d445b4fbcc953dc91 ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
9498e31ab37a4455f31827ce51afb221 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

Mandrake Linux 9.2:
db717c9a2e8f98905290d341e799c7b2 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm
76ba7c153a75c5dcfeae9f9f16f001e4 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm
7655e50f898e4e4d368cd8e47d38806d 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm
3f846e75cfdbdd9e818376474e1e54c0 9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm
738181704cb49e34d982a5b4224cc66c 9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm

Multi Network Firewall 8.2:
e8d13a3adbd679a0c1cd15dd28eb02f1 mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
93a47ac82a618905c7d4a6e0d276c586 mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
15b7ba1d342ae3531964e60a186874d8 mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm


Bug IDs fixed (see https://qa.mandrakesoft.com for more information):


To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>