6439697 2001-05-02 09:38 -0400  /128 rader/ EnGarde Secure Linux <security@GUARDIANDIGITAL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-02  18:12  av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@GUARDIANDIGITAL.COM
Mottagare: Bugtraq (import) <16872>
Ärende: [ESA-20010426-01] openssl vulnerabilities
------------------------------------------------------------
From: EnGarde Secure Linux <security@GUARDIANDIGITAL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10105020937080.7725-100000@mastermind.inside.guardiandigital.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                    May 02, 2001 |
| http://www.engardelinux.org/                           ESA-20010426-01 |
|                                                                        |
| Package:  openssl                                                      |
| Summary:  There are four potential vulnerabilities in openssl.         |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that
  features improved access control, host and network intrusion
  detection, Web based secure remote management, complete e-commerce
  using AllCommerce, and integrated open source security tools.


OVERVIEW
- --------
  There are four potential vulnerabilities in the version of openssl which
  shipped with EnGarde Secure Linux version 1.0.1.


DETAIL
- ------
  There were four security fixes introduced into openssl 0.9.6a.  However,
  this release also broke binary compatibility with older versions of
  openssl.  Thanks to Nalin Dahyabhai, these changes have been backported
  into openssl 0.9.6.  This alleviates having to release updated packages
  for all of the programs that depend on openssl, such as openssh.

  The security-related changes are (from the 0.9.6a announcement):

    o Security fix: change behavior of OpenSSL to avoid using environment
      variables when running as root.
    o Security fix: check the result of RSA-CRT to reduce the possibility
      of deducing the private key from an incorrectly calculated
      signature.
    o Security fix: prevent Bleichenbacher's DSA attack.
    o Security fix: Zero the premaster secret after deriving the master
      secret in DH ciphersuites.


SOLUTION
- --------
  All users running 'openssl' should upgrade to the most recent version,
  as outlined in this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  To install the updated package, execute the command:

    rpm -Uvh <filename>

  To verify the signature of the updated packages, execute the
command:

    rpm -Kv <filename>


UPDATED PACKAGES
- ----------------

  Source Packages:

    SRPMS/openssl-0.9.6-1.0.13.src.rpm
      MD5 Sum:  6e8134b6635a77bc6a9101438b50427a


  i386 Binary Packages:

    i386/openssl-0.9.6-1.0.13.i386.rpm
      MD5 Sum:  2a0f944722c27fd34d8549dae25b611d

    i386/openssl-misc-0.9.6-1.0.13.i386.rpm
      MD5 Sum:  59cb6c0fed182b2b5eb3789b2fffdae7


  i686 Binary Packages:

    i686/openssl-0.9.6-1.0.13.i686.rpm
      MD5 Sum:  7bdedd1a057f547cc59a56b35801c277

    i686/openssl-misc-0.9.6-1.0.13.i686.rpm
      MD5 Sum:  82aa05b124b35809f27d48f81418e3e0


REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  OpenSSL's official web site:
    http://www.openssl.org/

  OpenSSL 0.9.6a announcement:
    http://marc.theaimsgroup.com/?l=openssl-announce&m=98655255404174&w=2


- --------------------------------------------------------------------------
$Id: 2001.04.26-openssl,v 1.1 2001/04/26 15:18:29 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE68A3MHD5cqd57fu0RAq/kAKCZtcdkl6rNYMfaxHCRDKbfUcQHswCfVpUT
JfSAP9PGVd2+88xokmdY2hg=
=iko6
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
     To unsubscribe email engarde-security-request@engardelinux.org
         with "unsubscribe" in the subject of the message.

Copyright(c) 2001 Guardian Digital, Inc.                EnGardeLinux.org
------------------------------------------------------------------------
(6439697) /EnGarde Secure Linux <security@GUARDIANDIGITAL.COM>/(Ombruten)