---

Home Security

Mandrake Linux Advisory: openssl

By

Mandrake Linux Security Update Advisory

Package name: openssl
Advisory ID: MDKSA-2003:098
Date: September 30th, 2003
Affected versions: 8.2, 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network
Firewall 8.2

Problem Description:

Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC.
The parsing of unusual ASN.1 tag values can cause OpenSSL to crash,
which could be triggered by a remote attacker by sending a
carefully-crafted SSL client certificate to an application.
Depending upon the application targetted, the effects seen will
vary; in some cases a DoS (Denial of Service) could be performed,
in others nothing noticeable or adverse may happen. These two
vulnerabilities have been assigned CAN-2003-0543 and
CAN-2003-0544.

Additionally, NISCC discovered a third bug in OpenSSL 0.9.7.
Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in deallocation of a structure, leading to a
double free. This can be triggered by a remote attacker by sending
a carefully-crafted SSL client certificate to an application. This
vulnerability may be exploitable to execute arbitrary code. This
vulnerability has been assigned CAN-2003-0545.

The packages provided have been built with patches provided by
the OpenSSL group that resolve these issues.

A number of server applications such as OpenSSH and Apache that
make use of OpenSSL need to be restarted after the update has been
applied to ensure that they are protected from these issues. Users
are encouraged to restart all of these services or reboot their
systems.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545

http://www.kb.cert.org/vuls/id/255484

http://www.kb.cert.org/vuls/id/380864

http://www.kb.cert.org/vuls/id/935264

http://www.openssl.org/news/secadv_20030930.txt

http://www.uniras.gov.uk/vuls/2003/006489/tls.htm

http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm

Updated Packages:

Corporate Server 2.1:
ec80ef980212f5bf294f147e5bc19f76
corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
1de4f2038f479b1b779d5b2c9320e8fb
corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
4946dc25021ef97eb6513f3dd1dd16f6
corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm

3d5e3a05ead47fafa59240be9efc87d2
corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
6982c0adf01f00ea5d49deb24011c278
corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Corporate Server 2.1/x86_64:
eab60b3828aeec0e2717890e51a90e76
x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm

19d8a676a11293d8e6acb429bed63a99
x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm

5eb3936b8fade73ca1c334d67edad3ae
x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm

9df6c6e820719ac33744e1708621bdf3
x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm
6982c0adf01f00ea5d49deb24011c278
x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Mandrake Linux 8.2:
e8d13a3adbd679a0c1cd15dd28eb02f1
8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
4b783a98f4cc48be8a6b680a92f374ce
8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm
0481e5edacc8985d7255266fd136ceba
8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm
93a47ac82a618905c7d4a6e0d276c586
8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
15b7ba1d342ae3531964e60a186874d8
8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm

Mandrake Linux 9.0:
ec80ef980212f5bf294f147e5bc19f76
9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
1de4f2038f479b1b779d5b2c9320e8fb
9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
4946dc25021ef97eb6513f3dd1dd16f6
9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
3d5e3a05ead47fafa59240be9efc87d2
9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
6982c0adf01f00ea5d49deb24011c278
9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

Mandrake Linux 9.1:
42365cfe8a9214a747bd1fa6329baec8
9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm
a3a5046af719b864a337ce432e694a8b
9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm
2e879f9d5349458c5653e97f20cf2218
9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm
cf9bc9fc1cce8841d3cdb1d9fcd8b313
9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm
b475cc257c14dbaccd9007afa14096f5
9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm
329bd3dd8cdfad6d445b4fbcc953dc91
9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
9498e31ab37a4455f31827ce51afb221
9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
915f8ab4ea91e0d876c9204b1f3699b0
ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm
fafb4ac4c88c321d3c8fb7fdba54bac4
ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm
184be4bdf922fbc28b590a71b7cf8c10
ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm
09e1bd3c05323d10d8002a44dbbc85dd
ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm

cfbcacc68e2585a5fcbbeb8c9fc3b0d7
ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm
329bd3dd8cdfad6d445b4fbcc953dc91
ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
9498e31ab37a4455f31827ce51afb221
ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

Mandrake Linux 9.2:
db717c9a2e8f98905290d341e799c7b2
9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm
76ba7c153a75c5dcfeae9f9f16f001e4
9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm
7655e50f898e4e4d368cd8e47d38806d
9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm
3f846e75cfdbdd9e818376474e1e54c0
9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm
738181704cb49e34d982a5b4224cc66c
9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm

Multi Network Firewall 8.2:
e8d13a3adbd679a0c1cd15dd28eb02f1
mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
93a47ac82a618905c7d4a6e0d276c586
mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
15b7ba1d342ae3531964e60a186874d8
mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm

Bug IDs fixed (see https://qa.mandrakesoft.com for
more information):

To upgrade automatically, use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security. You can
obtain the GPG public key of the Mandrake Linux Security Team by
executing:

gpg –recv-keys –keyserver www.mandrakesecure.net
0x22458A98

Please be aware that sometimes it takes the mirrors a few hours
to update.

You can view other update advisories for Mandrake Linux at:

http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services
that anyone can subscribe to. Information on these lists can be
obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security
linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.