8221958 2002-03-29 11:46 -0800 /158 rader/ <security@caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-04-01 01:54 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Mottagare: Bugtraq (import) <21650>
Ärende: Security Update: [CSSA-2002-011.0] Linux: mod_ssl Buffer Overflow Condition
------------------------------------------------------------
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
security-alerts@linuxsecurity.com
Message-ID: <20020329114610.J25454@caldera.com>
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: mod_ssl Buffer Overflow Condition
Advisory number: CSSA-2002-011.0
Issue date: 2002, March 18
Cross reference:
______________________________________________________________________________
1. Problem Description
modssl uses underlying OpenSSL routines in a manner which could
cause a buffer overflow.
2. Vulnerable Supported Versions
System Package
-----------------------------------------------------------
OpenLinux Server 3.1 All packages previous to
mod_ssl-2.8.5_1.3.22-2
OpenLinux Workstation 3.1 All packages previous to
mod_ssl-2.8.5_1.3.22-2
OpenLinux Server 3.1.1 All packages previous to
mod_ssl-2.8.5_1.3.22-2
OpenLinux Workstation All packages previous to
3.1.1 mod_ssl-2.8.5_1.3.22-2
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. OpenLinux 3.1 Server
4.1 Location of Fixed Packages
The 3.1 version of this package is not yet available. An
updated advisory will be published when the package is
released.
5. OpenLinux 3.1 Workstation
5.1 Location of Fixed Packages
The 3.1 version of this package is not yet available. An
updated advisory will be published when the package is
released.
6. OpenLinux 3.1.1 Server
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS
6.2 Verification
64223d2995fd5501b440d14d9af35359
RPMS/mod_ssl-2.8.5_1.3.22-2.i386.rpm
f45c83a03d7fa38825645d551d5a1489
RPMS/mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm
57ad82f8f53b9745929002b06d8e26da
SRPMS/mod_ssl-2.8.5_1.3.22-2.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh mod_ssl-2.8.5_1.3.22-2.i386.rpm \
mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm
7. OpenLinux 3.1.1 Workstation
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS
7.2 Verification
64223d2995fd5501b440d14d9af35359
RPMS/mod_ssl-2.8.5_1.3.22-2.i386.rpm
f45c83a03d7fa38825645d551d5a1489
RPMS/mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm
57ad82f8f53b9745929002b06d8e26da
SRPMS/mod_ssl-2.8.5_1.3.22-2.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh mod_ssl-2.8.5_1.3.22-2.i386.rpm \
mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm
8. References
Specific references for this advisory:
none
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
This security fix closes Caldera incidents sr861039, erg711978,
fz520252.
9. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through
our security advisories. Our advisories are a service to our
customers intended to promote secure installation and use of
Caldera International products.
10. Acknowledgements
Ed Moyle <emoyle@scsnet.csc.com> discovered and researched this
vulnerability.
______________________________________________________________________________
(8221958) / <security@caldera.com>/-------(Ombruten)
Bilaga (application/pgp-signature) i text 8221959
8221959 2002-03-29 11:46 -0800 /10 rader/ <security@caldera.com>
Importerad: 2002-04-01 01:54 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Mottagare: Bugtraq (import) <21651>
Bilaga (text/plain) till text 8221958
Ärende: Bilaga till: Security Update: [CSSA-2002-011.0] Linux: mod_ssl Buffer Overflow Condition
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjykxIIACgkQbluZssSXDTFcIACgok2omM3v3vvg5ZKPG2TnBU5c
5EAAn0ZpxBmgxWOHfeuQrrYc8+77pb+8
=LpWT
-----END PGP SIGNATURE-----
(8221959) / <security@caldera.com>/-----------------