Trustix Information for VU#308891

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0063

Package name:      openssl
Summary:           Multiple security problems
Date:              2002-07-29
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
 Several severe security problems have been found in the openssl source
 code which upon the TSL openssl packages are based. Most of these
 vulnerabilities have a potential for remote expoitation, even though no
 exploits are currently released.
 The upstream development group have provided us with patches that fixes
 the problems.

  These issues have been asigned the following CVE names:
 CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659.

  More information:
 <URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655>
 <URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656>
 <URI: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659>

Action:
 We recommend that all systems with this package installed are upgraded.
 Please note that if you do not need the functionality provided by this
 package, you may want to remove it from your system.


Location:
 All TSL updates are available from
 <URI:http://www.trustix.net/pub/Trustix/updates/>
 <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
 Users of the SWUP tool can enjoy having updates automatically
 installed using 'swup --upgrade'.

  Get SWUP from:
 <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
 These packages have been available for public testing for some time.
 If you want to contribute by testing the various packages in the
 testing tree, please feel free to share your findings on the
 tsl-discuss mailinglist.
 The testing tree is located at
 <URI:http://www.trustix.net/pub/Trustix/testing/>
 <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
 Check out our mailing lists:
 <URI:http://www.trustix.net/support/>


Verification:
 This advisory along with all TSL packages are signed with the TSL sign key.
 This key is available from:
 <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
 <URI:http://www.trustix.net/errata/trustix-1.2/> and
 <URI:http://www.trustix.net/errata/trustix-1.5/>
 or directly at
 <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
0c51861ce4432c3f669657e2c4971c6f  ./1.5/SRPMS/openssl-0.9.6-10tr.src.rpm
eb8a64dba138584b8085aec8d9ccaf0c  ./1.5/RPMS/openssl-support-0.9.6-10tr.i586.rpm
9db293f035fbd82a3482ab87d3465eb2  ./1.5/RPMS/openssl-python-0.9.6-10tr.i586.rpm
582d08bb63676a33da1aa89a33a05914  ./1.5/RPMS/openssl-devel-0.9.6-10tr.i586.rpm
2d05569684b868cbacca9e389ded3f0f  ./1.5/RPMS/openssl-0.9.6-10tr.i586.rpm
96053f774317702af40705697a2460d4  ./1.2/SRPMS/openssl-0.9.6-3tr.src.rpm
84b50e02167b61a9d3093bcc055c7b45  ./1.2/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
b0c3b99917e1c69f593a74b9989a33f9  ./1.2/RPMS/openssl-0.9.6-3tr.i586.rpm
96053f774317702af40705697a2460d4  ./1.1/SRPMS/openssl-0.9.6-3tr.src.rpm
111d6f3e42c2410a11ac4704036a31ef  ./1.1/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
23d4bef487e86dfff1854f3f3c6fd867  ./1.1/RPMS/openssl-0.9.6-3tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9RSsqwRTcg4BxxS0RAgv0AJsGLRMNaZ2pmZdE4NRQCLgfRpNLygCdHfkE
3bFFVLoH4NXOBs+mT/i8T4E=
=Ydxh
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Addition to Trustix Secure Linux Bugfix Advisory #2002-0063

Package name:      openssl
Summary:           Restart services
Date:              2002-08-01
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
 I really hope all of you have updated the openssl package. :)

  Most of you know this already, and I'm sorry I didn't include this in
 the openssl advisory earlier this week. But here it goes:

  Since openssl is a shared library, all services linked against this
 library must be restarted for the changes to take affect.

  The list of services is long and includes (but are not limited to):

   httpd (mod_php4 is linked against libssl)
  httpsd
  simap
  pop3s
  postfix
  postgresql
  smb (maybe also winbind)
  sshd


Action:
 We recommend that all services that are linked against openssl are
 restarted.


Get SWUP from:
 <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>

Questions?
 Check out our mailing lists:
 <URI:http://www.trustix.net/support/>

Verification:
 This advisory along with all TSL packages are signed with the TSL sign key.
 This key is available from:
 <URI:http://www.trustix.net/TSL-GPG-KEY>




Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9SQ9hwRTcg4BxxS0RAvABAJ4jrAH8CyFLWpcGguZElQgdL88tmgCfXv2Z
AorvR78koxCwr7qGSPbZX+A=
=WAGZ
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.