Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl
From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Wed, 31 Jul 2002 11:16:16 -0700


--XF85m9dhOBO43t/C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                Linux: multiple vulnerabilities in openssl
Advisory number:        CSSA-2002-033.0
Issue date:             2002 July 31
Cross reference:
______________________________________________________________________________


1. Problem Description

        There are four remotely exploitable buffer overflows that affect
        various OpenSSL client and server implementations. There are also
        encoding problems in the ASN.1 library used by OpenSSL. Several
        of these vulnerabilities could be used by a remote attacker to
        execute arbitrary code on the target system. All could be used
        to create denial of service.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to openssl-0.9.6-18.i386.rpm
                                        prior to openssl-devel-0.9.6-18.i386.rpm
                                        prior to openssl-devel-static-0.9.6-18.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to openssl-0.9.6-18.i386.rpm
                                        prior to openssl-devel-0.9.6-18.i386.rpm
                                        prior to openssl-devel-static-0.9.6-18.i386.rpm

        OpenLinux 3.1 Server            prior to openssl-0.9.6-18.i386.rpm
                                        prior to openssl-devel-0.9.6-18.i386.rpm
                                        prior to openssl-devel-static-0.9.6-18.i386.rpm

        OpenLinux 3.1 Workstation       prior to openssl-0.9.6-18.i386.rpm
                                        prior to openssl-devel-0.9.6-18.i386.rpm
                                        prior to openssl-devel-static-0.9.6-18.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/RPMS

        4.2 Packages

        49b6589ee4e3fa4780a279e5dc46604d        openssl-0.9.6-18.i386.rpm
        608246e3b6de6e1f08946915307813a1        openssl-devel-0.9.6-18.i386.rpm
        55c039bf7e2f23805fe4060d72d94974        openssl-devel-static-0.9.6-18.i386.rpm

        4.3 Installation

        rpm -Fvh openssl-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

        4.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/SRPMS

        4.5 Source Packages

        99196cf80db29415ca44ef78733701ca        openssl-0.9.6-18.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/RPMS

        5.2 Packages

        6c83bdbaa0866d48413a6986d44add2b        openssl-0.9.6-18.i386.rpm
        c17adb44ffd8f0f5e8b812904cf58227        openssl-devel-0.9.6-18.i386.rpm
        0f9741b9b1348e4100bbc4c2165983b4        openssl-devel-static-0.9.6-18.i386.rpm

        5.3 Installation

        rpm -Fvh openssl-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

        5.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/SRPMS

        5.5 Source Packages

        7f819da5b612bd24e1f08b3e6ce96c7c        openssl-0.9.6-18.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/RPMS

        6.2 Packages

        db2c63ecd72f9c919d75b80f7bf21416        openssl-0.9.6-18.i386.rpm
        dfacf5e8c7588d19bda6aacbee04455c        openssl-devel-0.9.6-18.i386.rpm
        5caa2e9083c7bd82cf11abb747f92e24        openssl-devel-static-0.9.6-18.i386.rpm

        6.3 Installation

        rpm -Fvh openssl-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

        6.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/SRPMS

        6.5 Source Packages

        209ee703939cf4de47cc2e403e7a7a5f        openssl-0.9.6-18.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/RPMS

        7.2 Packages

        4a71d2544d0b06600abc27bddc4d20f5        openssl-0.9.6-18.i386.rpm
        6a0caf0bfef379791b83aaca484d212d        openssl-devel-0.9.6-18.i386.rpm
        294d134720153d5f4b284653d42cfdb1        openssl-devel-static-0.9.6-18.i386.rpm

        7.3 Installation

        rpm -Fvh openssl-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

        7.4 Source Package Location

        ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/SRPMS

        7.5 Source Packages

        480806a05bc92716fd17001873c40c9a        openssl-0.9.6-18.src.rpm


8. References

        Specific references for this advisory:
                http://www.openssl.org/news/secadv_20020730.txt
                http://www.cert.org/advisories/CA-2002-23.html

        Caldera security resources:
                http://www.caldera.com/support/security/index.html

        This security fix closes Caldera incidents sr867369, fz525695,
        erg501640.


9. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on this website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera products.


10. Acknowledgements

        These vulnerabilities were discovered and reported by the
        following: A.L. Digital Ltd, John McDonald of Neohapsis, Adi
        Stav, James Yonan.

______________________________________________________________________________

--XF85m9dhOBO43t/C
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1IKW8ACgkQbluZssSXDTHqdQCeJbfZK97+WxykZ58zNC3nq4ac
3t4AoNlYycrtGTTPO/tlaPOV8MKNXupe
=m6En
-----END PGP SIGNATURE-----

--XF85m9dhOBO43t/C--


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl full-disclosure () lists netsys com (Jul 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]