8790755 2002-07-30 17:09 +0200 /72 rader/ Daniel Ahlberg <aliz@gentoo.org> Sänt av: joel@lysator.liu.se Importerad: 2002-07-30 17:39 av Brevbäraren Extern mottagare: gentoo-security@gentoo.org Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <23358> Ärende: GLSA: OpenSSL ------------------------------------------------------------ From: Daniel Ahlberg <aliz@gentoo.org> To: gentoo-security@gentoo.org Cc: bugtraq@securityfocus.com Message-ID: <200207301709.46925.aliz@gentoo.org> - -------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------- PACKAGE :openssl SUMMARY :denial of service / remote root exploit DATE :2002-07-30 16:15:00 - -------------------------------------------------------------------- OVERVIEW Multiple potentially remotely exploitable vulnerabilities has been found in OpenSSL. DETAIL 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The full advisory can be read at http://www.openssl.org/news/secadv_20020730.txt SOLUTION It is recommended that all Gentoo Linux users update their systems as follows. emerge --clean rsync emerge openssl emerge clean After the installation of the updated OpenSSL you should restart the services that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well. Also, if you have an application that is statically linked to openssl you will need to reemerge that application to build it against the new OpenSSL. - -------------------------------------------------------------------- Daniel Ahlberg aliz@gentoo.org - -------------------------------------------------------------------- (8790755) /Daniel Ahlberg <aliz@gentoo.org>/(Ombruten)