This may be a stupid question but my OpenSSH dist is obviously compiled with OpenSSL 0.9.7c and im wondering if i will need to go and recompile it all again and redistribute. We dont use SSL directly other than through this ssh. Cheers ----- Original Message ----- From: "Mark J Cox" <mark@awe.com> To: <full-disclosure@lists.netsys.com>; <bugtraq@securityfocus.com> Sent: Wednesday, March 17, 2004 1:12 PM Subject: New OpenSSL releases fix denial of service attacks [17 March 2004] > -----BEGIN PGP SIGNED MESSAGE----- > > OpenSSL Security Advisory [17 March 2004] > > Updated versions of OpenSSL are now available which correct two > security issues: > > > 1. Null-pointer assignment during SSL handshake > =============================================== > > Testing performed by the OpenSSL group using the Codenomicon TLS Test > Tool uncovered a null-pointer assignment in the > do_change_cipher_spec() function. A remote attacker could perform a > carefully crafted SSL/TLS handshake against a server that used the > OpenSSL library in such a way as to cause OpenSSL to crash. Depending > on the application this could lead to a denial of service. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2004-0079 to this issue. > > All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from > 0.9.7a to 0.9.7c inclusive are affected by this issue. Any > application that makes use of OpenSSL's SSL/TLS library may be > affected. Please contact your application vendor for details. > > > 2. Out-of-bounds read affects Kerberos ciphersuites > =================================================== > > Stephen Henson discovered a flaw in SSL/TLS handshaking code when > using Kerberos ciphersuites. A remote attacker could perform a > carefully crafted SSL/TLS handshake against a server configured to use > Kerberos ciphersuites in such a way as to cause OpenSSL to crash. > Most applications have no ability to use Kerberos ciphersuites and > will therefore be unaffected. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2004-0112 to this issue. > > Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this > issue. Any application that makes use of OpenSSL's SSL/TLS library > may be affected. Please contact your application vendor for details. > > Recommendations > - --------------- > > Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications > statically linked to OpenSSL libraries. > > OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and > FTP from the following master locations (you can find the various FTP > mirrors under http://www.openssl.org/source/mirror.html): > > ftp://ftp.openssl.org/source/ > > The distribution file names are: > > o openssl-0.9.7d.tar.gz > MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 > > o openssl-0.9.6m.tar.gz [normal] > MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 > o openssl-engine-0.9.6m.tar.gz [engine] > MD5 checksum: 4c39d2524bd466180f9077f8efddac8c > > The checksums were calculated using the following command: > > openssl md5 openssl-0.9*.tar.gz > > Credits > - ------- > > Patches for these issues were created by Dr Stephen Henson > (steve@openssl.org) of the OpenSSL core team. The OpenSSL team would > like to thank Codenomicon for supplying the TLS Test Tool which was > used to discover these vulnerabilities, and Joe Orton of Red Hat for > performing the majority of the testing. > > References > - ---------- > > http://www.codenomicon.com/testtools/tls/ > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 > > URL for this Security Advisory: > http://www.openssl.org/news/secadv_20040317.txt > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd > G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ > pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j > Ez3jSlsbRRA= > =wvAZ > -----END PGP SIGNATURE----- > >
