dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


Netwosix Linux Advisory: openssl

Mar 17, 2004, 20:29 (0 Talkback[s])

Netwosix Linux Security Advisory #2004-0005 <http://www.netwosix.org>;

Package name: openssl
Summary: openssl upgraded package
Date: 2004-03-17
Affected versions: Netwosix 1.0


  • -> Package description:

    The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

  • -> Problem description:
    1. Null-pointer assignment during SSL handshake
    2. Out-of-bounds read affects Kerberos ciphersuites

    Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details.

  • -> Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system.
  • -> Location:

    You can download the latest version of this package in NEPOTE format from: <http://download.netwosix.org/0005/nepote>;

  • -> Nepote Update (Nepote has been updated with new ports on 25 February 2004.
    Update your portage tree from http://nepote.netwosix.org, first):

    See this instructions to update the port of this package:

            # cd /usr/port/devel/openssl
            # rm nepote
            # wget http://download.netwosix.org/0005/nepote
            # sh nepote (to install the new and updated package)
    

    Pending vulnerabilities, solutions, workarounds

            # cd /usr/port/shells/openssh
            # rm nepote-dep
            # wget http://download.netwosix.org/0005/nepote-dep
            # sh nepote-dep (to install the new and updated package)
    
  • -> References

    Specific references for this advisory:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
    http://www.openssl.org/news/secadv_20040317.txt

  • -> About Linux Netwosix:

    Linux Netwosix is a powerful and optimized Linux distribution for servers and Network Security related jobs. It can also be used for special operations such as penetration testing with its big collection of security oriented software and sources. It's a light distribution created for the requirements of every SysAdmin and it's very portable and highly configurable. Our philosophy is to give greater liberty for configuration to the SysAdmin. Only in this way can he/she configure a powerful and stable server machine. Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD systems but more flexible and usable.

  • -> Questions?

    Check out our mailing lists:
    <http://www.netwosix.org/mailing.html>;

The advisory itself is available at
<http://www.netwosix.org/adv05.html>


MD5sums of the packages:
9c399210b16b3590be2bb81357442f9a 0005/nepote
1a89349bd258f15aa8810623e9f471d2 0005/nepote-dep

Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@netwosix.org> -
<http://www.netwosix.org>;