Gentoo Linux Information for VU#748355

ASN.1 parsing errors exist in implementations of SSL, TLS, S/MIME, PKCS#7 routines

Status

Unknown. If you are the vendor named above, please contact us to update your status.

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Even though this announcement doesn't mention a specific fix for VU#748355 (ASN.1), we include it here for historical purposes.

- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------

PACKAGE        :openssl
SUMMARY        :denial of service / remote root exploit
DATE           :2002-07-30 16:15:00

- --------------------------------------------------------------------

OVERVIEW

Multiple potentially remotely exploitable vulnerabilities has been found in
OpenSSL.

DETAIL

1. The client master key in SSL2 could be oversized and overrun a
   buffer. This vulnerability was also independently discovered by
   consultants at Neohapsis (
http://www.neohapsis.com/) who have also
   demonstrated that the vulerability is exploitable. Exploit code is
   NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
   overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
   overrun a stack-based buffer. This issues only affects OpenSSL
   0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
   small on 64 bit platforms.

The full advisory can be read at
http://www.openssl.org/news/secadv_20020730.txt

SOLUTION

It is recommended that all Gentoo Linux users update their systems as
follows.

emerge --clean rsync
emerge openssl
emerge clean

After the installation of the updated OpenSSL you should restart the services
that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.

Also, if you have an application that is statically linked to openssl you will
need to reemerge that application to build it against the new OpenSSL.

- --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
- --------------------------------------------------------------------

If you have feedback, comments, or additional information about this vulnerability, please send us email.