linux, säkerhet

8796538 2002-07-31 11:16 -0700  /196 rader/ <security@caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-31  22:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <23405>
Ärende: Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl
------------------------------------------------------------
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
 security-alerts@linuxsecurity.com, full-disclosure@lists.netsys.com
Message-ID: <20020731111615.R29736@caldera.com>

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: multiple vulnerabilities in openssl
Advisory number: 	CSSA-2002-033.0
Issue date: 		2002 July 31
Cross reference:
______________________________________________________________________________


1. Problem Description

	There are four remotely exploitable buffer overflows that
	affect various OpenSSL client and server
	implementations. There are also encoding problems in the
	ASN.1 library used by OpenSSL. Several of these
	vulnerabilities could be used by a remote attacker to execute
	arbitrary code on the target system. All could be used to
	create denial of service.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1 Server		prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm

	OpenLinux 3.1 Workstation	prior to openssl-0.9.6-18.i386.rpm
					prior to openssl-devel-0.9.6-18.i386.rpm
					prior to openssl-devel-static-0.9.6-18.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater,
	called cupdate (or kcupdate under the KDE environment), to
	update these packages rather than downloading and installing
	them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/RPMS

	4.2 Packages

	49b6589ee4e3fa4780a279e5dc46604d
	openssl-0.9.6-18.i386.rpm
	608246e3b6de6e1f08946915307813a1
	openssl-devel-0.9.6-18.i386.rpm
	55c039bf7e2f23805fe4060d72d94974
	openssl-devel-static-0.9.6-18.i386.rpm

	4.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.0/SRPMS

	4.5 Source Packages

	99196cf80db29415ca44ef78733701ca
openssl-0.9.6-18.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/RPMS

	5.2 Packages

	6c83bdbaa0866d48413a6986d44add2b
	openssl-0.9.6-18.i386.rpm
	c17adb44ffd8f0f5e8b812904cf58227
	openssl-devel-0.9.6-18.i386.rpm
	0f9741b9b1348e4100bbc4c2165983b4
	openssl-devel-static-0.9.6-18.i386.rpm

	5.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.0/SRPMS

	5.5 Source Packages

	7f819da5b612bd24e1f08b3e6ce96c7c
openssl-0.9.6-18.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/RPMS

	6.2 Packages

	db2c63ecd72f9c919d75b80f7bf21416
	openssl-0.9.6-18.i386.rpm
	dfacf5e8c7588d19bda6aacbee04455c
	openssl-devel-0.9.6-18.i386.rpm
	5caa2e9083c7bd82cf11abb747f92e24
	openssl-devel-static-0.9.6-18.i386.rpm

	6.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	6.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.0/SRPMS

	6.5 Source Packages

	209ee703939cf4de47cc2e403e7a7a5f
openssl-0.9.6-18.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/RPMS

	7.2 Packages

	4a71d2544d0b06600abc27bddc4d20f5
	openssl-0.9.6-18.i386.rpm
	6a0caf0bfef379791b83aaca484d212d
	openssl-devel-0.9.6-18.i386.rpm
	294d134720153d5f4b284653d42cfdb1
	openssl-devel-static-0.9.6-18.i386.rpm

	7.3 Installation

	rpm -Fvh openssl-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-18.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-18.i386.rpm

	7.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.0/SRPMS

	7.5 Source Packages

	480806a05bc92716fd17001873c40c9a
openssl-0.9.6-18.src.rpm


8. References

	Specific references for this advisory:
		http://www.openssl.org/news/secadv_20020730.txt
		http://www.cert.org/advisories/CA-2002-23.html

	Caldera security resources:
		http://www.caldera.com/support/security/index.html

	This security fix closes Caldera incidents sr867369, fz525695,
	erg501640.


9. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


10. Acknowledgements

	These vulnerabilities were discovered and reported by the
	following: A.L. Digital Ltd, John McDonald of Neohapsis, Adi
	Stav, James Yonan.

______________________________________________________________________________
(8796538) /<security@caldera.com>/--------(Ombruten)
Bilaga (application/pgp-signature) i text 8796539
8796539 2002-07-31 11:16 -0700  /9 rader/ <security@caldera.com>
Importerad: 2002-07-31  22:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <23406>
Bilaga (text/plain) till text 8796538
Ärende: Bilaga till: Security Update: [CSSA-2002-033.0] Linux: multiple vulnerabilities in openssl
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj1IKW8ACgkQbluZssSXDTHqdQCeJbfZK97+WxykZ58zNC3nq4ac
3t4AoNlYycrtGTTPO/tlaPOV8MKNXupe
=m6En
-----END PGP SIGNATURE-----
(8796539) /<security@caldera.com>/------------------