[prev in list] [next in list] [prev in thread] [next in thread]
List: openpkg-cvs
Subject: [CVS] OpenPKG: openpkg-web/ security.txt security.wml openpkg-web/secu...
From: "Thomas Lotterer" <thl () openpkg ! org>
Date: 2003-09-30 12:47:11
[Download RAW message or body]
OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: thl@openpkg.org
Module: openpkg-web Date: 30-Sep-2003 14:47:11
Branch: HEAD Handle: 2003093013471100
Added files:
openpkg-web/security OpenPKG-SA-2003.044-openssl.txt
Modified files:
openpkg-web security.txt security.wml
Log:
SA-2003.044-openssl; CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
Summary:
Revision Changes Path
1.51 +1 -0 openpkg-web/security.txt
1.69 +1 -0 openpkg-web/security.wml
1.1 +158 -0 openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security.txt
============================================================================
$ cvs diff -u -r1.50 -r1.51 security.txt
--- openpkg-web/security.txt 24 Sep 2003 08:09:34 -0000 1.50
+++ openpkg-web/security.txt 30 Sep 2003 12:47:11 -0000 1.51
@@ -1,3 +1,4 @@
+30-Sep-2003: Security Advisory: S<OpenPKG-SA-2003.044-openssl>
24-Sep-2003: Security Advisory: S<OpenPKG-SA-2003.043-proftpd>
24-Sep-2003: Security Advisory: S<OpenPKG-SA-2003.042-openssh>
19-Sep-2003: Security Advisory: S<OpenPKG-SA-2003.041-sendmail>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security.wml
============================================================================
$ cvs diff -u -r1.68 -r1.69 security.wml
--- openpkg-web/security.wml 24 Sep 2003 08:09:34 -0000 1.68
+++ openpkg-web/security.wml 30 Sep 2003 12:47:11 -0000 1.69
@@ -76,6 +76,7 @@
</define-tag>
<box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">
<table cellspacing=0 cellpadding=0 border=0>
+ <sa 2003.044 openssl>
<sa 2003.043 proftpd>
<sa 2003.042 openssh>
<sa 2003.041 sendmail>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.044-openssl.txt
============================================================================
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.044-openssl.txt
--- /dev/null 2003-09-30 14:47:11.000000000 +0200
+++ OpenPKG-SA-2003.044-openssl.txt 2003-09-30 14:47:11.000000000 +0200
@@ -0,0 +1,158 @@
+________________________________________________________________________
+
+OpenPKG Security Advisory The OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
+openpkg-security@openpkg.org openpkg@openpkg.org
+OpenPKG-SA-2003.044 30-Sep-2003
+________________________________________________________________________
+
+Package: openssl
+Vulnerability: denial of service, possibly arbitrary code execution
+OpenPKG Specific: no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT <= openssl-0.9.7b-20030806 >= openssl-0.9.7b-20030930
+OpenPKG 1.3 <= openssl-0.9.7b-1.3.1 >= openssl-0.9.7b-1.3.2
+OpenPKG 1.2 <= openssl-0.9.7-1.2.3 >= openssl-0.9.7-1.2.4
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT apache* bind blender cadaver cfengine cpu cups curl
+ distcache dsniff easysoap ethereal* exim fetchmail
+ imap imapd imaputils inn jabberd kde-base kde-libs
+ linc links lynx mailsync meta-core mico* mixmaster
+ monit* mozilla mutt mutt15 nail neon nessus-libs
+ nmap openldap openssh openvpn perl-ssl pgadmin php*
+ pine* postfix* postgresql pound proftpd* qpopper
+ rdesktop samba samba3 sasl scanssh sendmail* siege
+ sio* sitecopy snmp socat squid* stunnel subversion
+ suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
+ imap imapd inn links lynx mico* mutt nail neon
+ openldap openssh perl-ssl php* postfix* postgresql
+ proftpd* qpopper rdesktop samba sasl scanssh
+ sendmail* siege sio* sitecopy snmp socat squid*
+ stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
+
+OpenPKG 1.2 apache* bind cpu curl ethereal* fetchmail imap inn
+ links lynx mico* mutt nail neon openldap openssh
+ perl-ssl postfix* postgresql qpopper rdesktop samba
+ sasl scanssh sendmail* siege sitecopy snmp socat
+ stunnel sysmon tcpdump tinyca w3m wget
+
+ (*) marked packages are only affected if certain build
+ options ("with_xxx") were used at build time. See
+ Appendix below for details.
+
+Description:
+ According to an OpenSSL [0] security advisory [1], multiple
+ vulnerabilities exist in OpenSSL versions up to and including 0.9.6j
+ and 0.9.7b:
+
+ 1. Certain ASN.1 encodings that are rejected as invalid by the ASN.1
+ parser can trigger a bug in the deallocation of the corresponding
+ data structure, corrupting the stack.
+
+ 2. Unusual ASN.1 tag values can cause an out of bounds read under
+ certain circumstances.
+
+ 3. A malformed public key in a certificate will crash the verify code
+ if it is set to ignore public key decoding errors (which is usually
+ not the case, except for debugging purposes).
+
+ 4. Due to an error in the SSL/TLS protocol handling, a server will
+ parse a client certificate when one is not specifically requested.
+ This means that all OpenSSL based SSL/TLS servers can be attacked
+ using vulnerabilities 1, 2 and 3 even if they don't enable client
+ authentication.
+
+ The Common Vulnerabilities and Exposures (CVE) project assigned the
+ ids CAN-2003-0543 [2], CAN-2003-0544 [3] and CAN-2003-0545 [4] to the
+ problems.
+
+ Please check whether you are affected by running "<prefix>/bin/rpm -q
+ openssl". If you have the "openssl" package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution) and it's dependent packages (see above), too. [5][6]
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
+ location, verify its integrity [11], build a corresponding binary
+ RPM from it [5] and update your OpenPKG installation by applying the
+ binary RPM [6]. For the current release OpenPKG 1.3, perform the
+ following operations to permanently fix the security problem (for
+ other releases adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp> bin
+ ftp> cd release/1.3/UPD
+ ftp> get openssl-0.9.7b-1.3.2.src.rpm
+ ftp> bye
+ $ <prefix>/bin/rpm -v --checksig openssl-0.9.7b-1.3.2.src.rpm
+ $ <prefix>/bin/rpm --rebuild openssl-0.9.7b-1.3.2.src.rpm
+ $ su -
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7b-1.3.2.*.rpm
+
+ Additionally, we you have to rebuild and reinstall all dependent
+ packages (see above), too. [5][6]
+________________________________________________________________________
+
+Appendix:
+ Some packages are only affected if certain package options
+ ("with_xxx") were used at build time. Please check whether you are
+ affected by running "<prefix>/bin/rpm -qi <package>". The table below
+ lists all those packages, their options and values that make up the
+ difference regarding this advisory for OpenPKG CURRENT, 1.3 and 1.2.
+ Packages or options that were not available in a particular release
+ are marked "=".
+
+ package option "with_" CUR 1.3 1.2
+ -----------------------------------------
+ apache mod_ssl yes yes yes
+ : mod_php_pgsql yes yes =
+ : mod_php_openssl yes yes yes
+ : mod_php_openldap yes yes yes
+ : mod_php_imap yes yes =
+ : mod_php3_openssl yes yes yes
+ : mod_auth_ldap yes yes yes
+ ethereal openssl yes yes yes
+ mico ssl yes yes yes
+ monit ssl yes = =
+ php openssl yes yes =
+ : imap yes yes =
+ pine ssl yes = =
+ postfix tls yes yes yes
+ : ldap yes yes =
+ proftpd pgsql yes yes =
+ : ldap yes yes =
+ sendmail tls yes yes yes
+ : sasl yes yes yes
+ : ldap yes yes yes
+ sio bio yes yes =
+ squid ssl yes yes =
+________________________________________________________________________
+
+References:
+ [0] http://www.openssl.org/
+ [1] http://www.openssl.org/news/secadv_20030930.txt
+ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
+ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
+ [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
+ [5] http://www.openpkg.org/tutorial.html#regular-source
+ [6] http://www.openpkg.org/tutorial.html#regular-binary
+ [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.4.src.rpm
+ [8] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.2.src.rpm
+ [9] ftp://ftp.openpkg.org/release/1.2/UPD/
+ [10] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [11] http://www.openpkg.org/security.html#signature
+________________________________________________________________________
+
+For security reasons, this advisory was digitally signed with the
+OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the
+OpenPKG project which you can retrieve from http://pgp.openpkg.org and
+hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
+for details on how to verify the integrity of this advisory.
+________________________________________________________________________
+
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic