1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - --------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19 |
6 |
- - - --------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE : openssl |
9 |
SUMMARY : vulnerabilities in ASN.1 parsing |
10 |
DATE : 2003-10-01 14:48 UTC |
11 |
EXPLOIT : remote |
12 |
GENTOO BUG # : 30001 |
13 |
CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544 |
14 |
|
15 |
- - - --------------------------------------------------------------------- |
16 |
|
17 |
DESCRIPTION |
18 |
|
19 |
quote from OpenSSL advisory: |
20 |
|
21 |
"1. Certain ASN.1 encodings that are rejected as invalid by the parser |
22 |
can trigger a bug in the deallocation of the corresponding data |
23 |
structure, corrupting the stack. This can be used as a denial of service |
24 |
attack. It is currently unknown whether this can be exploited to run |
25 |
malicious code. This issue does not affect OpenSSL 0.9.6. |
26 |
|
27 |
2. Unusual ASN.1 tag values can cause an out of bounds read under |
28 |
certain circumstances, resulting in a denial of service vulnerability. |
29 |
|
30 |
3. A malformed public key in a certificate will crash the verify code if |
31 |
it is set to ignore public key decoding errors. Public key decode errors |
32 |
are not normally ignored, except for debugging purposes, so this is |
33 |
unlikely to affect production code. Exploitation of an affected |
34 |
application would result in a denial of service vulnerability. |
35 |
|
36 |
4. Due to an error in the SSL/TLS protocol handling, a server will parse |
37 |
a client certificate when one is not specifically requested. This by |
38 |
itself is not strictly speaking a vulnerability but it does mean that |
39 |
*all* SSL/TLS servers that use OpenSSL can be attacked using |
40 |
vulnerabilities 1, 2 and 3 even if they don't enable client authentication." |
41 |
|
42 |
read the full advisory at |
43 |
http://www.openssl.org/news/secadv_20030930.txt |
44 |
|
45 |
SOLUTION |
46 |
|
47 |
it is recommended that all Gentoo Linux users who are running |
48 |
dev-libs/openssl upgrade to a fixed version. |
49 |
|
50 |
make sure that the version to be installed is atleast 0.9.6k(stable) |
51 |
or 0.9.7c(masked). |
52 |
|
53 |
emerge sync |
54 |
emerge openssl -p |
55 |
emerge openssl |
56 |
emerge clean |
57 |
|
58 |
- - - --------------------------------------------------------------------- |
59 |
aliz@g.o - GnuPG key is available at http://dev.gentoo.org/~aliz |
60 |
- - - --------------------------------------------------------------------- |
61 |
-----BEGIN PGP SIGNATURE----- |
62 |
Version: GnuPG v1.2.3 (GNU/Linux) |
63 |
|
64 |
iD8DBQE/eulGfT7nyhUpoZMRAqomAJ4uTF38SWWVKdh8khE8loCUuVmoawCeMRrM |
65 |
i2jV0nCkowHud00KH4Eykq8= |
66 |
=zPT1 |
67 |
-----END PGP SIGNATURE----- |