OpenPKG Information for VU#561275

OpenSSL servers contain a remotely exploitable buffer overflow vulnerability during the SSL3 handshake process

Status

Affected

Vendor Statement

See http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2002.008                                          30-Jul-2002
________________________________________________________________________

Package:             openssl
Vulnerability:       denial of service / remote root exploit
OpenPKG Specific:    no

Affected  Releases:  OpenPKG 1.0               OpenPKG CURRENT
Affected  Packages:  <= openssl-0.9.6b-1.0.0   <= openssl-0.9.6d
Corrected Packages:  >= openssl-0.9.6b-1.0.1   >= openssl-0.9.6e
Dependent Packages:  apache                    apache
                    curl                      bind
                    fetchmail                 cadaver
                    imapd                     cpu
                    inn                       curl
                    links                     dsniff
                    lynx                      exim
                    mutt                      fetchmail
                    openldap                  imapd
                    openssh                   inn
                    perl-ssl                  links
                    postfix                   lynx
                    postgresql                mutt
                    qpopper                   neon
                    samba                     openldap
                    sasl                      openssh
                    scanssh                   openvpn
                    sendmail                  perl-ssl
                    siege                     postfix
                    sitecopy                  postgresql
                    snmp                      qpopper
                    stunnel                   rdesktop
                    tcpdump                   samba
                    w3m                       sasl
                                              scanssh
                                              sendmail
                                              siege
                                              sitecopy
                                              snmp
                                              stunnel
                                              sysmon
                                              tcpdump
                                              w3m

Description:
 According to an official security advisory from the OpenSSL team,
 there are four remotely exploitable buffer overflows that affect
 various OpenSSL client and server implementations [5]. There are
 also parsing problems in the ASN.1 library used by OpenSSL. The
 Common Vulnerabilities and Exposures (CVE) project assigned the
 ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
 CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
 could be used by a remote attacker to execute arbitrary code on the
 target system. All could be used to create a denial of service.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
 openssl". If you have the "openssl" package installed and its version
 is affected (see above), we recommend that you immediately upgrade it
 (see Solution). Additionally, you have to rebuild and reinstall all
 dependent OpenPKG packages, too. [2]

Solution:
 Select the updated source RPM appropriate for your OpenPKG release
 [4], fetch it from the OpenPKG FTP service [3] or a mirror location,
 verify its integrity [1], build a corresponding binary RPM from it
 and update your OpenPKG installation by applying the binary RPM [2].
 For the latest OpenPKG 1.0 release, perform the following operations
 to permanently fix the security problem (for other releases adjust
 accordingly).

  $ ftp ftp.openpkg.org
 ftp> bin
 ftp> cd release/1.0/UPD
 ftp> get openssl-0.9.6b-1.0.1.src.rpm
 ftp> bye
 $ <prefix>/bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm
 $ <prefix>/bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm
 $ su -
 # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm

  Now proceed and rebuild and reinstall all dependent OpenPKG packages,
 too (see list above).
________________________________________________________________________

References:
 [1]  http://www.openpkg.org/security.html#signature
 [2]  http://www.openpkg.org/tutorial.html#regular-source
 [3]  ftp://ftp.openpkg.org/release/1.0/UPD/
 [4]  ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm
 [5]  http://www.openssl.org/news/secadv_20020730.txt
 [6]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
 [7]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
 [8]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
 [9]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH
4xsAoKTteo/qotFgoki3JYpuGufyp4vL
=k9ol
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.