1 |
Hey, this doesn't look right. |
2 |
|
3 |
I followed the instructions (not that there is much to a rsync/emerge/clean |
4 |
scenario), but it appears that my system is playing a prank: |
5 |
|
6 |
--- --- |
7 |
>>> dev-libs/openssl-0.9.6e merged. |
8 |
[snip] |
9 |
newjersey root # emerge -p clean |
10 |
|
11 |
>>> These are the packages that I would unmerge: |
12 |
|
13 |
dev-libs/openssl |
14 |
selected: 0.9.6d |
15 |
protected: 0.9.6c-r1 0.9.6e |
16 |
omitted: none |
17 |
|
18 |
>>> Packages in red are slated for removal. |
19 |
>>> Packages in green will not be removed. |
20 |
--- --- |
21 |
|
22 |
Why is it going to "clean" the package that I just merged (0.9.6e)? It |
23 |
worked properly on my other servers. Curious.... |
24 |
|
25 |
Mickey |
26 |
-- |
27 |
Mickey Mullin |
28 |
Chief Technical Officer |
29 |
Websoft Systems, Inc. |
30 |
www.websoft.com |
31 |
mmullin@×××××××.com |
32 |
732-212-1933 x204 |
33 |
|
34 |
Daniel Ahlberg wrote: |
35 |
> - -------------------------------------------------------------------- |
36 |
> GENTOO LINUX SECURITY ANNOUNCEMENT |
37 |
> - -------------------------------------------------------------------- |
38 |
> |
39 |
> PACKAGE :openssl |
40 |
> SUMMARY :denial of service / remote root exploit |
41 |
> DATE :2002-07-30 16:15:00 |
42 |
> |
43 |
> - -------------------------------------------------------------------- |
44 |
> |
45 |
> OVERVIEW |
46 |
> |
47 |
> Multiple potentially remotely exploitable vulnerabilities has been found in |
48 |
> OpenSSL. |
49 |
> |
50 |
> DETAIL |
51 |
> |
52 |
> 1. The client master key in SSL2 could be oversized and overrun a |
53 |
> buffer. This vulnerability was also independently discovered by |
54 |
> consultants at Neohapsis (http://www.neohapsis.com/) who have also |
55 |
> demonstrated that the vulerability is exploitable. Exploit code is |
56 |
> NOT available at this time. |
57 |
> |
58 |
> 2. The session ID supplied to a client in SSL3 could be oversized and |
59 |
> overrun a buffer. |
60 |
> |
61 |
> 3. The master key supplied to an SSL3 server could be oversized and |
62 |
> overrun a stack-based buffer. This issues only affects OpenSSL |
63 |
> 0.9.7 before 0.9.7-beta3 with Kerberos enabled. |
64 |
> |
65 |
> 4. Various buffers for ASCII representations of integers were too |
66 |
> small on 64 bit platforms. |
67 |
> |
68 |
> The full advisory can be read at |
69 |
> http://www.openssl.org/news/secadv_20020730.txt |
70 |
> |
71 |
> SOLUTION |
72 |
> |
73 |
> It is recommended that all Gentoo Linux users update their systems as |
74 |
> follows. |
75 |
> |
76 |
> emerge --clean rsync |
77 |
> emerge openssl |
78 |
> emerge clean |
79 |
> |
80 |
> After the installation of the updated OpenSSL you should restart the services |
81 |
> that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled |
82 |
> POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well. |
83 |
> |
84 |
> Also, if you have an application that is statically linked to openssl you will |
85 |
> need to reemerge that application to build it against the new OpenSSL. |
86 |
> |
87 |
> - -------------------------------------------------------------------- |
88 |
> Daniel Ahlberg |
89 |
> aliz@g.o |
90 |
> - -------------------------------------------------------------------- |