Home page logo
/

bugtraq logo Bugtraq mailing list archives

Immunix Secured OS 7+ OpenSSL update
From: Immunix Security Team <security () immunix com>
Date: Tue, 30 Sep 2003 08:58:22 -0700

-----------------------------------------------------------------------
        Immunix Secured OS Security Advisory

Packages updated:       openssl
Affected products:      Immunix OS 7+
Bugs fixed:             CAN-2003-0543 CAN-2003-0544
Date:                   Mon Sep 29 2003
Advisory ID:            IMNX-2003-7+-022-01
Author:                 Seth Arnold <sarnold () immunix com>
-----------------------------------------------------------------------

Description:
  The UK National Infrastructure Security Co-ordination Centre (NISCC)
  has commissioned an audit of OpenSSL, similar to the audit performed
  on SNMP by Oulu Security Programming Group. Stephen Henson, of the
  OpenSSL core team, has analysed the results and produced a patch to
  address the problems found.

  NISCC's description of the problem: "An unusual ASN.1 tag value can
  cause an out of bounds read under certain circumstances resulting in a
  Denial of Service condition. [...] For example, if one of the parties
  involved in a TLS/SSL connection sends an ASN.1 element that cannot
  be handled properly, the behaviour of the receiving application may be
  unpredictable. It has been found that a vulnerability can arise where
  one of the parties generates an exceptional ASN.1 element as part of
  a client certificate. A Denial of Service may arise in the receiving
  application, or there may be an opportunity for further exploitation."

  Immunix, Inc., would like to thank Stephen Henson for the patches and
  NISCC for preparing the SSL test suite.

  References: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  
  A source package for Immunix 7+ is available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm

Immunix OS 7+ md5sums:
  f3184ccb1a3298a43b899b5b20ea55d1 RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  8d092873585664a9d76083e47d9a695f RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  1e01801d4b964beed7ddce666ef58a65 RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  d432232a745ee43a413122f988bc7fa6 SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security () immunix com 
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Immunix Secured OS 7+ OpenSSL update Immunix Security Team (Sep 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]