--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated openssl packages fix remote vulnerabilities Advisory ID: RHSA-2002:155-11 Issue date: 2002-07-25 Updated on: 2002-07-29 Product: Red Hat Linux Keywords: OpenSSL master session key Cross references: Obsoletes: RHSA-2001:051 CVE Names: CAN-2002-0655 CAN-2002-0656 --------------------------------------------------------------------- 1. Topic: Updated OpenSSL packages are available which fix several serious buffer overflow vulnerabilities. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, i686, ia64 Red Hat Linux 7.3 - i386, i686 3. Problem description: OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. A security audit of the OpenSSL code sponsored by DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7 and 0.9.6d and earlier: 1. The master key supplied by a client to an SSL version 2 server could be oversized, causing a stack-based buffer overflow. This issue is remotely exploitable. Services that have SSLv2 disabled would not be vulnerable to this issue. (CAN-2002-0656) 2. The SSLv3 session ID supplied to a client from a malicious server could be oversized and overrun a buffer. This issue looks to be remotely exploitable. (CAN-2002-0656) 3. Various buffers used for storing ASCII representations of integers were too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655) A further issue was found in OpenSSL 0.9.7 that does not affect versions of OpenSSL shipped with Red Hat Linux (CAN-2002-0657). A large number of applications within Red Hat Linux make use the OpenSSL library to provide SSL support. All users are therefore advised to upgrade to the errata OpenSSL packages, which contain patches to correct these vulnerabilities. NOTE: Please read the Solution section below as it contains instructions for making sure that all SSL-enabled processes are restarted after the update is applied. Thanks go to the OpenSSL team and Ben Laurie for providing patches for these issues. 4. Solution: IMPORTANT: Because both client and server applications are affected by these vulnerabilities, we advise users to reboot their systems after installing these updates. Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/openssl-0.9.5a-26.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/openssl-0.9.5a-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/openssl-devel-0.9.5a-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/openssl-perl-0.9.5a-26.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/openssl-python-0.9.5a-26.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/openssl-0.9.5a-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/openssl-devel-0.9.5a-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/openssl-perl-0.9.5a-26.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/openssl-python-0.9.5a-26.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/openssl-0.9.5a-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/openssl-devel-0.9.5a-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/openssl-perl-0.9.5a-26.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/openssl-python-0.9.5a-26.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl-0.9.6-10.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/openssl-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/openssl095a-0.9.5a-14.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/openssl-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/openssl-devel-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/openssl-perl-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/openssl-python-0.9.6-10.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl-0.9.6-10.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/openssl-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/openssl095a-0.9.5a-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssl-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssl-devel-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssl-perl-0.9.6-10.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/openssl-python-0.9.6-10.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/openssl-0.9.6-10.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/openssl-devel-0.9.6-10.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/openssl-perl-0.9.6-10.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/openssl-python-0.9.6-10.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl096-0.9.6-9.src.rpm ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl-0.9.6b-24.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/openssl095a-0.9.5a-14.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssl096-0.9.6-9.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssl-0.9.6b-24.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm i686: ftp://updates.redhat.com/7.2/en/os/i686/openssl-0.9.6b-24.i686.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssl096-0.9.6-9.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssl-0.9.6b-24.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssl-devel-0.9.6b-24.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/openssl-perl-0.9.6b-24.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl096-0.9.6-9.src.rpm ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl-0.9.6b-24.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/openssl095a-0.9.5a-14.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssl096-0.9.6-9.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssl-0.9.6b-24.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm i686: ftp://updates.redhat.com/7.3/en/os/i686/openssl-0.9.6b-24.i686.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 61c1681e13328fe5cc5de13003cecbfa 6.2/en/os/SRPMS/openssl-0.9.5a-26.src.rpm b5a092d4197eabfaefeed4d260d1b98e 6.2/en/os/alpha/openssl-0.9.5a-26.alpha.rpm 711624c0394b7c0fca42750726d32f3d 6.2/en/os/alpha/openssl-devel-0.9.5a-26.alpha.rpm 76d65cd6d29616fd9933912b09bede48 6.2/en/os/alpha/openssl-perl-0.9.5a-26.alpha.rpm 267eb03ac96a182b9fa11a5ba3b9389d 6.2/en/os/alpha/openssl-python-0.9.5a-26.alpha.rpm b99f516e99f7b0b90feea4cd0fb1edab 6.2/en/os/i386/openssl-0.9.5a-26.i386.rpm 0ffd8b3d708b8fdcc6bc6ae91f3d1940 6.2/en/os/i386/openssl-devel-0.9.5a-26.i386.rpm b9db1140f4806ec3f4f1a832aad21afc 6.2/en/os/i386/openssl-perl-0.9.5a-26.i386.rpm 388b3147b88607bb47b563532b4ff155 6.2/en/os/i386/openssl-python-0.9.5a-26.i386.rpm 810e6131fee818819213d326c596719b 6.2/en/os/sparc/openssl-0.9.5a-26.sparc.rpm 9ab8a7b059a198837cad649e7c4b1f92 6.2/en/os/sparc/openssl-devel-0.9.5a-26.sparc.rpm e4ab888ccd8200c66de485408b3518b9 6.2/en/os/sparc/openssl-perl-0.9.5a-26.sparc.rpm 305e69febe8751a6839324593be55087 6.2/en/os/sparc/openssl-python-0.9.5a-26.sparc.rpm 6a1a51baec50250feb6a7df0914c086d 7.0/en/os/SRPMS/openssl-0.9.6-10.src.rpm ddd832b579f5f92234fd3bdc0088585c 7.0/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 80e27f1105c86ad37f47ed9c6da01e75 7.0/en/os/alpha/openssl-0.9.6-10.alpha.rpm fe5999b2892ef3af48707a0900d24741 7.0/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 7f0ad5a594254071c63d46c554a73cfe 7.0/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 30fb55bf1ff5f8113fe4fce2907db6de 7.0/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 2c67e47754d3c46828a46b858d5227e5 7.0/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 9b9780f4124111d800cbc698f601eed4 7.0/en/os/i386/openssl-0.9.6-10.i386.rpm d81f3d47b8d725bb71ad7809c81e0486 7.0/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 776c915db7a72e5f22cdffadfb56f2c9 7.0/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 1c916fb95c1b8f9c44840667a4aea2cd 7.0/en/os/i386/openssl-python-0.9.6-10.i386.rpm 9f4ddecdbc78517f7e43648132c9873a 7.0/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 6a1a51baec50250feb6a7df0914c086d 7.1/en/os/SRPMS/openssl-0.9.6-10.src.rpm ddd832b579f5f92234fd3bdc0088585c 7.1/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 80e27f1105c86ad37f47ed9c6da01e75 7.1/en/os/alpha/openssl-0.9.6-10.alpha.rpm fe5999b2892ef3af48707a0900d24741 7.1/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 7f0ad5a594254071c63d46c554a73cfe 7.1/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 30fb55bf1ff5f8113fe4fce2907db6de 7.1/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 2c67e47754d3c46828a46b858d5227e5 7.1/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 9b9780f4124111d800cbc698f601eed4 7.1/en/os/i386/openssl-0.9.6-10.i386.rpm d81f3d47b8d725bb71ad7809c81e0486 7.1/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 776c915db7a72e5f22cdffadfb56f2c9 7.1/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 1c916fb95c1b8f9c44840667a4aea2cd 7.1/en/os/i386/openssl-python-0.9.6-10.i386.rpm 9f4ddecdbc78517f7e43648132c9873a 7.1/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 0c246f63818de647a1b1810187c13381 7.1/en/os/ia64/openssl-0.9.6-10.ia64.rpm 5966099d03ba051a1784f7eba666815b 7.1/en/os/ia64/openssl-devel-0.9.6-10.ia64.rpm 30d8263af19b234b1ff6b48915a4760d 7.1/en/os/ia64/openssl-perl-0.9.6-10.ia64.rpm 0eb73d5aa9c2a0f693ff8c60bf4a9321 7.1/en/os/ia64/openssl-python-0.9.6-10.ia64.rpm 5e6e3c534cac94d57e14fae37f213333 7.1/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm 93ab0985d11a15fe39e24a548b1885e6 7.2/en/os/SRPMS/openssl-0.9.6b-24.src.rpm ddd832b579f5f92234fd3bdc0088585c 7.2/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 449151345e809f531c316cb9d1df033b 7.2/en/os/SRPMS/openssl096-0.9.6-9.src.rpm c181eab20db43421e20a0e5cd18a1b0d 7.2/en/os/i386/openssl-0.9.6b-24.i386.rpm b74adb3f6208aeddfda7d1b1f0063802 7.2/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 189345f3cee952484fcd2a40246aa28b 7.2/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 9f4ddecdbc78517f7e43648132c9873a 7.2/en/os/i386/openssl095a-0.9.5a-14.i386.rpm c37591c97b216af1290cfcc82e74abb3 7.2/en/os/i386/openssl096-0.9.6-9.i386.rpm 0189237bd50fc00fb777cd782aa70e2e 7.2/en/os/i686/openssl-0.9.6b-24.i686.rpm a5e045a90bf2fae63b9fd7c7a7ed265b 7.2/en/os/ia64/openssl-0.9.6b-24.ia64.rpm 1c047ebddc6b5bad180bba5eb6549f63 7.2/en/os/ia64/openssl-devel-0.9.6b-24.ia64.rpm 2e96f756ac9fab96db2e2e672f11b62b 7.2/en/os/ia64/openssl-perl-0.9.6b-24.ia64.rpm 5e6e3c534cac94d57e14fae37f213333 7.2/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm e402bc51ebe69e9e18132a29f1555c15 7.2/en/os/ia64/openssl096-0.9.6-9.ia64.rpm 93ab0985d11a15fe39e24a548b1885e6 7.3/en/os/SRPMS/openssl-0.9.6b-24.src.rpm ddd832b579f5f92234fd3bdc0088585c 7.3/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 449151345e809f531c316cb9d1df033b 7.3/en/os/SRPMS/openssl096-0.9.6-9.src.rpm c181eab20db43421e20a0e5cd18a1b0d 7.3/en/os/i386/openssl-0.9.6b-24.i386.rpm b74adb3f6208aeddfda7d1b1f0063802 7.3/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 189345f3cee952484fcd2a40246aa28b 7.3/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 9f4ddecdbc78517f7e43648132c9873a 7.3/en/os/i386/openssl095a-0.9.5a-14.i386.rpm c37591c97b216af1290cfcc82e74abb3 7.3/en/os/i386/openssl096-0.9.6-9.i386.rpm 0189237bd50fc00fb777cd782aa70e2e 7.3/en/os/i686/openssl-0.9.6b-24.i686.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 Copyright(c) 2000, 2001, 2002 Red Hat, Inc. _______________________________________________ Redhat-watch-list mailing list To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list