Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Gentoo Linux Information for VU#748355

Date Notified:
Date Updated:
Statement Date:
Status Summary:Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Even though this announcement doesn't mention a specific fix for VU#748355 (ASN.1), we include it here for historical purposes.

- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------

PACKAGE        :openssl
SUMMARY        :denial of service / remote root exploit
DATE           :2002-07-30 16:15:00

- --------------------------------------------------------------------

OVERVIEW

Multiple potentially remotely exploitable vulnerabilities has been found in
OpenSSL.

DETAIL

1. The client master key in SSL2 could be oversized and overrun a
   buffer. This vulnerability was also independently discovered by
   consultants at Neohapsis (http://www.neohapsis.com/) who have also
   demonstrated that the vulerability is exploitable. Exploit code is
   NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
   overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
   overrun a stack-based buffer. This issues only affects OpenSSL
   0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
   small on 64 bit platforms.

The full advisory can be read at
http://www.openssl.org/news/secadv_20020730.txt

SOLUTION

It is recommended that all Gentoo Linux users update their systems as
follows.

emerge --clean rsync
emerge openssl
emerge clean

After the installation of the updated OpenSSL you should restart the services
that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.

Also, if you have an application that is statically linked to openssl you will
need to reemerge that application to build it against the new OpenSSL.

- --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
- --------------------------------------------------------------------

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information