Gentoo Archives: gentoo-announce

From: aliz@gentoo.org (Daniel Ahlberg)
To: gentoo-announce@g.o, bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com
Subject: [gentoo-announce] GLSA: openssl (200309-19)
Date: Wed, 01 Oct 2003 14:57:16
Message-Id: 20031001144838.EF7BD9FF2A@noc.internal.fairytale.se
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19
6 - - - ---------------------------------------------------------------------
7
8           PACKAGE : openssl
9           SUMMARY : vulnerabilities in ASN.1 parsing
10              DATE : 2003-10-01 14:48 UTC
11           EXPLOIT : remote
12 GENTOO BUG # : 30001
13               CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544
14
15 - - - ---------------------------------------------------------------------
16
17 DESCRIPTION
18
19 quote from OpenSSL advisory:
20
21 "1. Certain ASN.1 encodings that are rejected as invalid by the parser
22 can trigger a bug in the deallocation of the corresponding data
23 structure, corrupting the stack. This can be used as a denial of service
24 attack. It is currently unknown whether this can be exploited to run
25 malicious code. This issue does not affect OpenSSL 0.9.6.
26
27 2. Unusual ASN.1 tag values can cause an out of bounds read under
28 certain circumstances, resulting in a denial of service vulnerability.
29
30 3. A malformed public key in a certificate will crash the verify code if
31 it is set to ignore public key decoding errors. Public key decode errors
32 are not normally ignored, except for debugging purposes, so this is
33 unlikely to affect production code. Exploitation of an affected
34 application would result in a denial of service vulnerability.
35
36 4. Due to an error in the SSL/TLS protocol handling, a server will parse
37 a client certificate when one is not specifically requested. This by
38 itself is not strictly speaking a vulnerability but it does mean that
39 *all* SSL/TLS servers that use OpenSSL can be attacked using
40 vulnerabilities 1, 2 and 3 even if they don't enable client authentication."
41
42 read the full advisory at
43 http://www.openssl.org/news/secadv_20030930.txt
44
45 SOLUTION
46
47 it is recommended that all Gentoo Linux users who are running
48 dev-libs/openssl upgrade to a fixed version.
49
50 make sure that the version to be installed is atleast 0.9.6k(stable)
51 or 0.9.7c(masked).
52
53 emerge sync
54 emerge openssl -p
55 emerge openssl
56 emerge clean
57
58 - - - ---------------------------------------------------------------------
59 aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz
60 - - - ---------------------------------------------------------------------
61 -----BEGIN PGP SIGNATURE-----
62 Version: GnuPG v1.2.3 (GNU/Linux)
63
64 iD8DBQE/eulGfT7nyhUpoZMRAqomAJ4uTF38SWWVKdh8khE8loCUuVmoawCeMRrM
65 i2jV0nCkowHud00KH4Eykq8=
66 =zPT1
67 -----END PGP SIGNATURE-----