[gentoo-announce] Gentoo Linux Security Advisory 200403-03: Multiple OpenSSL Vulnerabilities - gentoo-announce

From:	Aida Escriva-Sammer <aescriva@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] Gentoo Linux Security Advisory 200403-03: Multiple OpenSSL Vulnerabilities
Date:	Thu, 18 Mar 2004 01:47:34
Message-Id:	`4058545F.5010907@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200403-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                              http://security.gentoo.org

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

   Severity: Normal

8

      Title: Multiple OpenSSL Vulnerabilities

9

       Date: March 17, 2004

10

       Bugs: #44941

11

         ID: 200403-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Three vulnerabilities have been found in OpenSSL via a commercial test

19

suite for the TLS protocol developed by Codenomicon Ltd.

20

21

Background

22

==========

23

24

The OpenSSL Project is a collaborative effort to develop a robust,

25

commercial-grade, full-featured, and Open Source toolkit implementing

26

the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS

27

v1) protocols as well as a full-strength general purpose cryptography

28

library.

29

30

Affected packages

31

=================

32

33

     -------------------------------------------------------------------

34

      Package           /   Vulnerable   /                   Unaffected

35

     -------------------------------------------------------------------

36

      dev-libs/openssl       <= 0.9.7c                        >= 0.9.7d

37

      dev-libs/openssl       <= 0.9.7c                        == 0.9.6m

38

39

Description

40

===========

41

42

1. Testing performed by the OpenSSL group using the Codenomicon TLS

43

    Test Tool uncovered a null-pointer assignment in the

44

    do_change_cipher_spec() function. A remote attacker could perform a

45

    carefully crafted SSL/TLS handshake against a server that used the

46

    OpenSSL library in such a way as to cause OpenSSL to crash.

47

    Depending on the application this could lead to a denial of service.

48

    All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from

49

    0.9.7a to 0.9.7c inclusive are affected by this issue.

50

51

2. A flaw has been discovered in SSL/TLS handshaking code when using

52

    Kerberos ciphersuites. A remote attacker could perform a carefully

53

    crafted SSL/TLS handshake against a server configured to use

54

    Kerberos ciphersuites in such a way as to cause OpenSSL to crash.

55

    Most applications have no ability to use Kerberos cipher suites and

56

    will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of

57

    OpenSSL are affected by this issue.

58

59

3. Testing performed by the OpenSSL group using the Codenomicon TLS

60

    Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that

61

    can lead to a Denial of Service attack (infinite loop). This issue

62

    was traced to a fix that was added to OpenSSL 0.9.6d some time ago.

63

    This issue will affect vendors that ship older versions of OpenSSL

64

    with backported security patches.

65

66

Impact

67

======

68

69

Although there are no public exploits known for bug, users are

70

recommended to upgrade to ensure the security of their infrastructure.

71

72

Workaround

73

==========

74

75

There is no immediate workaround; a software upgrade is required. The

76

vulnerable function in the code has been rewritten.

77

78

Resolution

79

==========

80

81

All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m:

82

83

     # emerge sync

84

     # emerge -pv ">=dev-libs/openssl-0.9.7d"

85

     # emerge ">=dev-libs/openssl-0.9.7d"

86

87

Concerns?

88

=========

89

90

Security is a primary focus of Gentoo Linux and ensuring the

91

confidentiality and security of our users machines is of utmost

92

importance to us. Any security concerns should be addressed to

93

security@g.o or alternatively, you may file a bug at

94

http://bugs.gentoo.org.

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200403-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Multiple OpenSSL Vulnerabilities
9	Date: March 17, 2004
10	Bugs: #44941
11	ID: 200403-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Three vulnerabilities have been found in OpenSSL via a commercial test
19	suite for the TLS protocol developed by Codenomicon Ltd.
20
21	Background
22	==========
23
24	The OpenSSL Project is a collaborative effort to develop a robust,
25	commercial-grade, full-featured, and Open Source toolkit implementing
26	the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
27	v1) protocols as well as a full-strength general purpose cryptography
28	library.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	dev-libs/openssl <= 0.9.7c >= 0.9.7d
37	dev-libs/openssl <= 0.9.7c == 0.9.6m
38
39	Description
40	===========
41
42	1. Testing performed by the OpenSSL group using the Codenomicon TLS
43	Test Tool uncovered a null-pointer assignment in the
44	do_change_cipher_spec() function. A remote attacker could perform a
45	carefully crafted SSL/TLS handshake against a server that used the
46	OpenSSL library in such a way as to cause OpenSSL to crash.
47	Depending on the application this could lead to a denial of service.
48	All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from
49	0.9.7a to 0.9.7c inclusive are affected by this issue.
50
51	2. A flaw has been discovered in SSL/TLS handshaking code when using
52	Kerberos ciphersuites. A remote attacker could perform a carefully
53	crafted SSL/TLS handshake against a server configured to use
54	Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
55	Most applications have no ability to use Kerberos cipher suites and
56	will therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of
57	OpenSSL are affected by this issue.
58
59	3. Testing performed by the OpenSSL group using the Codenomicon TLS
60	Test Tool uncovered a bug in older versions of OpenSSL 0.9.6 that
61	can lead to a Denial of Service attack (infinite loop). This issue
62	was traced to a fix that was added to OpenSSL 0.9.6d some time ago.
63	This issue will affect vendors that ship older versions of OpenSSL
64	with backported security patches.
65
66	Impact
67	======
68
69	Although there are no public exploits known for bug, users are
70	recommended to upgrade to ensure the security of their infrastructure.
71
72	Workaround
73	==========
74
75	There is no immediate workaround; a software upgrade is required. The
76	vulnerable function in the code has been rewritten.
77
78	Resolution
79	==========
80
81	All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m:
82
83	# emerge sync
84	# emerge -pv ">=dev-libs/openssl-0.9.7d"
85	# emerge ">=dev-libs/openssl-0.9.7d"
86
87	Concerns?
88	=========
89
90	Security is a primary focus of Gentoo Linux and ensuring the
91	confidentiality and security of our users machines is of utmost
92	importance to us. Any security concerns should be addressed to
93	security@g.o or alternatively, you may file a bug at
94	http://bugs.gentoo.org.