MDKSA-2003:098 - Updated openssl packages fix vulnerabilities

Mandrake Linux Security Team <security@linux-mandrake.com> · 1 Oct 2003 05:16:35 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           openssl
Advisory ID:            MDKSA-2003:098
Date:                   September 30th, 2003

Affected versions:	8.2, 9.0, 9.1, 9.2, Corporate Server 2.1,
			Multi Network Firewall 8.2
________________________________________________________________________

Problem Description:

 Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The
 parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which
 could be triggered by a remote attacker by sending a carefully-crafted
 SSL client certificate to an application.  Depending upon the
 application targetted, the effects seen will vary; in some cases a DoS
 (Denial of Service) could be performed, in others nothing noticeable
 or adverse may happen.  These two vulnerabilities have been assigned
 CAN-2003-0543 and CAN-2003-0544.

 Additionally, NISCC discovered a third bug in OpenSSL 0.9.7.  Certain
 ASN.1 encodings that are rejected as invalid by the parser can trigger
 a bug in deallocation of a structure, leading to a double free.  This
 can be triggered by a remote attacker by sending a carefully-crafted
 SSL client certificate to an application.  This vulnerability may be
 exploitable to execute arbitrary code.  This vulnerability has been
 assigned CAN-2003-0545.

 The packages provided have been built with patches provided by the
 OpenSSL group that resolve these issues.

 A number of server applications such as OpenSSH and Apache that make
 use of OpenSSL need to be restarted after the update has been applied
 to ensure that they are protected from these issues.  Users are
 encouraged to restart all of these services or reboot their systems.
________________________________________________________________________

References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
  http://www.kb.cert.org/vuls/id/255484
  http://www.kb.cert.org/vuls/id/380864
  http://www.kb.cert.org/vuls/id/935264
  http://www.openssl.org/news/secadv_20030930.txt
  http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
  http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
________________________________________________________________________

Updated Packages:

 Corporate Server 2.1:
 ec80ef980212f5bf294f147e5bc19f76  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
 1de4f2038f479b1b779d5b2c9320e8fb  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
 4946dc25021ef97eb6513f3dd1dd16f6  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
 3d5e3a05ead47fafa59240be9efc87d2  corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
 6982c0adf01f00ea5d49deb24011c278  corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

 Corporate Server 2.1/x86_64:
 eab60b3828aeec0e2717890e51a90e76  x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm
 19d8a676a11293d8e6acb429bed63a99  x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm
 5eb3936b8fade73ca1c334d67edad3ae  x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm
 9df6c6e820719ac33744e1708621bdf3  x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm
 6982c0adf01f00ea5d49deb24011c278  x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

 Mandrake Linux 8.2:
 e8d13a3adbd679a0c1cd15dd28eb02f1  8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
 4b783a98f4cc48be8a6b680a92f374ce  8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm
 0481e5edacc8985d7255266fd136ceba  8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm
 93a47ac82a618905c7d4a6e0d276c586  8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
 15b7ba1d342ae3531964e60a186874d8  8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm

 Mandrake Linux 9.0:
 ec80ef980212f5bf294f147e5bc19f76  9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm
 1de4f2038f479b1b779d5b2c9320e8fb  9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm
 4946dc25021ef97eb6513f3dd1dd16f6  9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm
 3d5e3a05ead47fafa59240be9efc87d2  9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm
 6982c0adf01f00ea5d49deb24011c278  9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm

 Mandrake Linux 9.1:
 42365cfe8a9214a747bd1fa6329baec8  9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm
 a3a5046af719b864a337ce432e694a8b  9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm
 2e879f9d5349458c5653e97f20cf2218  9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm
 cf9bc9fc1cce8841d3cdb1d9fcd8b313  9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm
 b475cc257c14dbaccd9007afa14096f5  9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm
 329bd3dd8cdfad6d445b4fbcc953dc91  9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
 9498e31ab37a4455f31827ce51afb221  9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 915f8ab4ea91e0d876c9204b1f3699b0  ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm
 fafb4ac4c88c321d3c8fb7fdba54bac4  ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm
 184be4bdf922fbc28b590a71b7cf8c10  ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm
 09e1bd3c05323d10d8002a44dbbc85dd  ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm
 cfbcacc68e2585a5fcbbeb8c9fc3b0d7  ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm
 329bd3dd8cdfad6d445b4fbcc953dc91  ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm
 9498e31ab37a4455f31827ce51afb221  ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm

 Mandrake Linux 9.2:
 db717c9a2e8f98905290d341e799c7b2  9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm
 76ba7c153a75c5dcfeae9f9f16f001e4  9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm
 7655e50f898e4e4d368cd8e47d38806d  9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm
 3f846e75cfdbdd9e818376474e1e54c0  9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm
 738181704cb49e34d982a5b4224cc66c  9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 e8d13a3adbd679a0c1cd15dd28eb02f1  mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm
 93a47ac82a618905c7d4a6e0d276c586  mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm
 15b7ba1d342ae3531964e60a186874d8  mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE/emMzmqjQ0CJFipgRAgz6AJ9wOxt7lA2wyZ9t4kUlmbIKeLq8pACgq5vV
RvuAK10PkmmQzzXKTz5f6KM=
=SSpZ
-----END PGP SIGNATURE-----