Gentoo Linux Information for VU#102795

OpenSSL servers contain a buffer overflow during the SSL2 handshake process



Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



- --------------------------------------------------------------------
- --------------------------------------------------------------------

PACKAGE        :openssl
SUMMARY        :denial of service / remote root exploit
DATE           :2002-07-30 16:15:00

- --------------------------------------------------------------------


Multiple potentially remotely exploitable vulnerabilities has been found in


1. The client master key in SSL2 could be oversized and overrun a
   buffer. This vulnerability was also independently discovered by
   consultants at Neohapsis ( who have also
   demonstrated that the vulerability is exploitable. Exploit code is
   NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
   overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
   overrun a stack-based buffer. This issues only affects OpenSSL
   0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
   small on 64 bit platforms.

The full advisory can be read at


It is recommended that all Gentoo Linux users update their systems as

emerge --clean rsync
emerge openssl
emerge clean

After the installation of the updated OpenSSL you should restart the services
that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.

Also, if you have an application that is statically linked to openssl you will
need to reemerge that application to build it against the new OpenSSL.

- --------------------------------------------------------------------
Daniel Ahlberg
- --------------------------------------------------------------------

If you have feedback, comments, or additional information about this vulnerability, please send us email.