1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200403-03 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Multiple OpenSSL Vulnerabilities |
9 |
Date: March 17, 2004 |
10 |
Bugs: #44941 |
11 |
ID: 200403-03 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Three vulnerabilities have been found in OpenSSL via a commercial test |
19 |
suite for the TLS protocol developed by Codenomicon Ltd. |
20 |
|
21 |
Background |
22 |
========== |
23 |
|
24 |
The OpenSSL Project is a collaborative effort to develop a robust, |
25 |
commercial-grade, full-featured, and Open Source toolkit implementing |
26 |
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS |
27 |
v1) protocols as well as a full-strength general purpose cryptography |
28 |
library. |
29 |
|
30 |
Affected packages |
31 |
================= |
32 |
|
33 |
------------------------------------------------------------------- |
34 |
Package / Vulnerable / Unaffected |
35 |
------------------------------------------------------------------- |
36 |
dev-libs/openssl <= 0.9.7c >= 0.9.7d |
37 |
dev-libs/openssl <= 0.9.7c == 0.9.6m |
38 |
|
39 |
Description |
40 |
=========== |
41 |
|
42 |
1. Testing performed by the OpenSSL group using the Codenomicon TLS |
43 |
Test Tool uncovered a null-pointer assignment in the |
44 |
do_change_cipher_spec() function. A remote attacker could perform a |
45 |
carefully crafted SSL/TLS handshake against a server that used the |
46 |
OpenSSL library in such a way as to cause OpenSSL to crash. |
47 |
Depending on the application this could lead to a denial of service. |
48 |
All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from |
49 |
0.9.7a to 0.9.7c inclusive are affected by this issue. |
50 |
|
51 |
2. A flaw has been discovered in SSL/TLS handshaking code when using |
52 |
Kerberos ciphersuites. A remote attacker could perform a carefully |
53 |
crafted SSL/TLS handshake against a server configured to use |
54 |
Kerberos ciphersuites in such a way as to cause OpenSSL to crash. |
55 |
Most applications have no ability to use Kerberos cipher suites and |
56 |
will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of |
57 |
OpenSSL are affected by this issue. |
58 |
|
59 |
3. Testing performed by the OpenSSL group using the Codenomicon TLS |
60 |
Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that |
61 |
can lead to a Denial of Service attack (infinite loop). This issue |
62 |
was traced to a fix that was added to OpenSSL 0.9.6d some time ago. |
63 |
This issue will affect vendors that ship older versions of OpenSSL |
64 |
with backported security patches. |
65 |
|
66 |
Impact |
67 |
====== |
68 |
|
69 |
Although there are no public exploits known for bug, users are |
70 |
recommended to upgrade to ensure the security of their infrastructure. |
71 |
|
72 |
Workaround |
73 |
========== |
74 |
|
75 |
There is no immediate workaround; a software upgrade is required. The |
76 |
vulnerable function in the code has been rewritten. |
77 |
|
78 |
Resolution |
79 |
========== |
80 |
|
81 |
All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m: |
82 |
|
83 |
# emerge sync |
84 |
# emerge -pv ">=dev-libs/openssl-0.9.7d" |
85 |
# emerge ">=dev-libs/openssl-0.9.7d" |
86 |
|
87 |
Concerns? |
88 |
========= |
89 |
|
90 |
Security is a primary focus of Gentoo Linux and ensuring the |
91 |
confidentiality and security of our users machines is of utmost |
92 |
importance to us. Any security concerns should be addressed to |
93 |
security@g.o or alternatively, you may file a bug at |
94 |
http://bugs.gentoo.org. |