linux, säkerhet

10768047 2003-10-01 16:48 +0200 /68 rader/ Daniel Ahlberg <aliz@gentoo.org>
Sänt av: gentoo-announce-return-164-11451=lyskom.lysator.liu.se@gentoo.org
Importerad: 2003-10-01 16:59 av Brevbäraren
Extern mottagare: gentoo-announce@gentoo.org
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Gentoo (-) mailimport <240>
Mottagare: Bugtraq (import) <29353>
    Sänt:     2003-10-01 18:30
Ärende: [gentoo-announce] GLSA:  openssl (200309-19)
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19
- - - ---------------------------------------------------------------------

          PACKAGE : openssl
          SUMMARY : vulnerabilities in ASN.1 parsing
             DATE : 2003-10-01 14:48 UTC
          EXPLOIT : remote
     GENTOO BUG # : 30001
              CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544

- - - ---------------------------------------------------------------------

DESCRIPTION

quote from OpenSSL advisory:

"1. Certain ASN.1 encodings that are rejected as invalid by the
parser can trigger a bug in the deallocation of the corresponding
data structure, corrupting the stack. This can be used as a denial of
service attack. It is currently unknown whether this can be exploited
to run malicious code. This issue does not affect OpenSSL 0.9.6.

2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.

3. A malformed public key in a certificate will crash the verify code
if it is set to ignore public key decoding errors. Public key decode
errors are not normally ignored, except for debugging purposes, so
this is unlikely to affect production code. Exploitation of an
affected application would result in a denial of service
vulnerability.

4. Due to an error in the SSL/TLS protocol handling, a server will
parse a client certificate when one is not specifically
requested. This by itself is not strictly speaking a vulnerability
but it does mean that *all* SSL/TLS servers that use OpenSSL can be
attacked using vulnerabilities 1, 2 and 3 even if they don't enable
client authentication."

read the full advisory at
http://www.openssl.org/news/secadv_20030930.txt

SOLUTION

it is recommended that all Gentoo Linux users who are running
dev-libs/openssl upgrade to a fixed version.

make sure that the version to be installed is atleast 0.9.6k(stable)
or 0.9.7c(masked).

emerge sync
emerge openssl -p
emerge openssl
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/eulGfT7nyhUpoZMRAqomAJ4uTF38SWWVKdh8khE8loCUuVmoawCeMRrM
i2jV0nCkowHud00KH4Eykq8=
=zPT1
-----END PGP SIGNATURE-----
(10768047) /Daniel Ahlberg <aliz@gentoo.org>/(Ombruten)