[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: [gentoo-dev] Re: [gentoo-security] GLSA: OpenSSL
From: Mickey Mullin <mmullin () websoft ! com>
Date: 2002-07-31 14:20:31
[Download RAW message or body]
Hey, this doesn't look right.
I followed the instructions (not that there is much to a rsync/emerge/clean
scenario), but it appears that my system is playing a prank:
--- ---
>>> dev-libs/openssl-0.9.6e merged.
[snip]
newjersey root # emerge -p clean
>>> These are the packages that I would unmerge:
dev-libs/openssl
selected: 0.9.6d
protected: 0.9.6c-r1 0.9.6e
omitted: none
>>> Packages in red are slated for removal.
>>> Packages in green will not be removed.
--- ---
Why is it going to "clean" the package that I just merged (0.9.6e)? It
worked properly on my other servers. Curious....
Mickey
--
Mickey Mullin
Chief Technical Officer
Websoft Systems, Inc.
www.websoft.com
mmullin@websoft.com
732-212-1933 x204
Daniel Ahlberg wrote:
> - --------------------------------------------------------------------
> GENTOO LINUX SECURITY ANNOUNCEMENT
> - --------------------------------------------------------------------
>
> PACKAGE :openssl
> SUMMARY :denial of service / remote root exploit
> DATE :2002-07-30 16:15:00
>
> - --------------------------------------------------------------------
>
> OVERVIEW
>
> Multiple potentially remotely exploitable vulnerabilities has been found in
> OpenSSL.
>
> DETAIL
>
> 1. The client master key in SSL2 could be oversized and overrun a
> buffer. This vulnerability was also independently discovered by
> consultants at Neohapsis (http://www.neohapsis.com/) who have also
> demonstrated that the vulerability is exploitable. Exploit code is
> NOT available at this time.
>
> 2. The session ID supplied to a client in SSL3 could be oversized and
> overrun a buffer.
>
> 3. The master key supplied to an SSL3 server could be oversized and
> overrun a stack-based buffer. This issues only affects OpenSSL
> 0.9.7 before 0.9.7-beta3 with Kerberos enabled.
>
> 4. Various buffers for ASCII representations of integers were too
> small on 64 bit platforms.
>
> The full advisory can be read at
> http://www.openssl.org/news/secadv_20020730.txt
>
> SOLUTION
>
> It is recommended that all Gentoo Linux users update their systems as
> follows.
>
> emerge --clean rsync
> emerge openssl
> emerge clean
>
> After the installation of the updated OpenSSL you should restart the services
> that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
> POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
>
> Also, if you have an application that is statically linked to openssl you will
> need to reemerge that application to build it against the new OpenSSL.
>
> - --------------------------------------------------------------------
> Daniel Ahlberg
> aliz@gentoo.org
> - --------------------------------------------------------------------
_______________________________________________
gentoo-dev mailing list
gentoo-dev@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic