Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.405 -- Red Hat Security Advisory RHSA-2002:160-21
Updated openssl packages fix protocol parsing bugs
8 August 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Vendor: Red Hat
Operating System: Red Hat Linux 7.3
Red Hat Linux 7.2
Red Hat Linux 7.1
Red Hat Linux 7
Red Hat Linux 6.2
Impact: Denial of Service
Execute Arbitrary Code/Commands
Access Required: Remote
Ref: AA-2002.06
ESB-2002.369
- --------------------------BEGIN INCLUDED TEXT--------------------
- ---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Updated openssl packages fix protocol parsing bugs
Advisory ID: RHSA-2002:160-21
Issue date: 2002-07-29
Updated on: 2002-08-05
Product: Red Hat Linux
Keywords: OpenSSL ASN.1 abstract syntax notation
Cross references:
Obsoletes: RHSA-2002:155
CVE Names: CAN-2002-0659
- ---------------------------------------------------------------------
1. Topic:
Updated OpenSSL packages are available for Red Hat Linux 6.2, 7, 7.1, 7.2,
and 7.3. These updates fix multiple protocol parsing bugs which may be used
in a denial of service (DoS) attack or cause SSL-enabled applications to crash.
2. Relevant releases/architectures:
Red Hat Linux 6.2 - alpha, i386, sparc
Red Hat Linux 7.0 - alpha, i386
Red Hat Linux 7.1 - alpha, i386, ia64
Red Hat Linux 7.2 - i386, i686, ia64
Red Hat Linux 7.3 - i386, i686
3. Problem description:
OpenSSL is a commercial-grade, full-featured, and open source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.
Portions of the SSL protocol data stream, which include the lengths of
structures which are being transferred, may not be properly validated. This
may allow a malicious server or client to cause an affected application to
crash or enter an infinite loop, which can be used as a denial of service
(DoS) attack if the application is a server. It has not been verified if
this issue could lead to further consequences such as remote code execution.
These errata packages contain a patch to correct this vulnerability.
Please note that the original patch from the OpenSSL team had a mistake in
it which could possibly still allow buffer overflows to occur. This bug is
also fixed in these errata packages.
NOTE:
Please read the Solution section below as it contains instructions for
making sure that all SSL-enabled processes are restarted after the update
is applied.
Thanks go to the OpenSSL team for providing patches for this issue.
4. Solution:
Because both client and server applications are affected by these
vulnerabilities, we advise users to reboot their systems after installing
these updates.
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.
Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
6. RPMs required:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/openssl-0.9.5a-29.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-0.9.5a-29.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-devel-0.9.5a-29.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-perl-0.9.5a-29.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-python-0.9.5a-29.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/openssl-0.9.5a-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-devel-0.9.5a-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-perl-0.9.5a-29.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/openssl-python-0.9.5a-29.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-0.9.5a-29.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-devel-0.9.5a-29.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-perl-0.9.5a-29.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-python-0.9.5a-29.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl-0.9.6-13.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-devel-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-perl-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/openssl-python-0.9.6-13.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl-0.9.6-13.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-devel-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-perl-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/openssl-python-0.9.6-13.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/openssl095a-0.9.5a-18.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-0.9.6-13.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-devel-0.9.6-13.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-perl-0.9.6-13.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-python-0.9.6-13.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl096-0.9.6-13.src.rpm
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl-0.9.6b-28.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl096-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-0.9.6b-28.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-devel-0.9.6b-28.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/openssl-perl-0.9.6b-28.i386.rpm
i686:
ftp://updates.redhat.com/7.2/en/os/i686/openssl-0.9.6b-28.i686.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/openssl095a-0.9.5a-18.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl096-0.9.6-13.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-0.9.6b-28.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-devel-0.9.6b-28.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-perl-0.9.6b-28.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl096-0.9.6-13.src.rpm
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl-0.9.6b-28.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl096-0.9.6-13.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-0.9.6b-28.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-devel-0.9.6b-28.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/openssl-perl-0.9.6b-28.i386.rpm
i686:
ftp://updates.redhat.com/7.3/en/os/i686/openssl-0.9.6b-28.i686.rpm
7. Verification:
MD5 sum Package Name
- --------------------------------------------------------------------------
88d1df818d80fc96b3684a18265f37f6 6.2/en/os/SRPMS/openssl-0.9.5a-29.src.rpm
25a6501a6cd4e5b7986a2ebc9c691c65 6.2/en/os/alpha/openssl-0.9.5a-29.alpha.rpm
58f6ef313c176a3ef98ad4f5f7bb371a 6.2/en/os/alpha/openssl-devel-0.9.5a-29.alpha.rpm
39930828fdeadfb54902548bbc891485 6.2/en/os/alpha/openssl-perl-0.9.5a-29.alpha.rpm
52cb6e0558523d735ccfe172c1d6e8ab 6.2/en/os/alpha/openssl-python-0.9.5a-29.alpha.rpm
e86b57e90b41a8e05db877a575fbe647 6.2/en/os/i386/openssl-0.9.5a-29.i386.rpm
beb66819c6669d2e2cca1dd67d85f7f7 6.2/en/os/i386/openssl-devel-0.9.5a-29.i386.rpm
eea8316e88ef8bf272535cd483482e1e 6.2/en/os/i386/openssl-perl-0.9.5a-29.i386.rpm
6b9bc5ee282d3f6f1373478ad3184c5e 6.2/en/os/i386/openssl-python-0.9.5a-29.i386.rpm
e5537f71b2d492d27e8fab6b69a6cb16 6.2/en/os/sparc/openssl-0.9.5a-29.sparc.rpm
992013eaafb8595b7d1f0cc0c89b0142 6.2/en/os/sparc/openssl-devel-0.9.5a-29.sparc.rpm
dcc9ea6007e2e59f007910fa5e8cd9b5 6.2/en/os/sparc/openssl-perl-0.9.5a-29.sparc.rpm
e1fa913fc868da6b89150ddb0ce62138 6.2/en/os/sparc/openssl-python-0.9.5a-29.sparc.rpm
ee11260a7760ddf55b4ec7755b00b3a7 7.0/en/os/SRPMS/openssl-0.9.6-13.src.rpm
5ef4beb986cb64aaae2cfd5726a03659 7.0/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
aa89abcd401045500219b03d4903811b 7.0/en/os/alpha/openssl-0.9.6-13.alpha.rpm
8477aeb72e53df02ce6a59d37de7cb02 7.0/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
fff55b6d8a51b9c0b5d10dafcc7511e4 7.0/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
168813d3974d63869120464765e34dd8 7.0/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
92d8348414826ec4409e8d31e2513941 7.0/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
f3f805e9698affd543c42a55cbdbaba7 7.0/en/os/i386/openssl-0.9.6-13.i386.rpm
f8d57d36b1dd4ef5bf0b89579ec229cd 7.0/en/os/i386/openssl-devel-0.9.6-13.i386.rpm
e18c81476ad5db84dd3178639edbdd82 7.0/en/os/i386/openssl-perl-0.9.6-13.i386.rpm
7f20d329ca75dfce15c883d96ffbaf40 7.0/en/os/i386/openssl-python-0.9.6-13.i386.rpm
49b87abfb69a066756eed6441c226775 7.0/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
ee11260a7760ddf55b4ec7755b00b3a7 7.1/en/os/SRPMS/openssl-0.9.6-13.src.rpm
5ef4beb986cb64aaae2cfd5726a03659 7.1/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
aa89abcd401045500219b03d4903811b 7.1/en/os/alpha/openssl-0.9.6-13.alpha.rpm
8477aeb72e53df02ce6a59d37de7cb02 7.1/en/os/alpha/openssl-devel-0.9.6-13.alpha.rpm
fff55b6d8a51b9c0b5d10dafcc7511e4 7.1/en/os/alpha/openssl-perl-0.9.6-13.alpha.rpm
168813d3974d63869120464765e34dd8 7.1/en/os/alpha/openssl-python-0.9.6-13.alpha.rpm
92d8348414826ec4409e8d31e2513941 7.1/en/os/alpha/openssl095a-0.9.5a-18.alpha.rpm
f3f805e9698affd543c42a55cbdbaba7 7.1/en/os/i386/openssl-0.9.6-13.i386.rpm
f8d57d36b1dd4ef5bf0b89579ec229cd 7.1/en/os/i386/openssl-devel-0.9.6-13.i386.rpm
e18c81476ad5db84dd3178639edbdd82 7.1/en/os/i386/openssl-perl-0.9.6-13.i386.rpm
7f20d329ca75dfce15c883d96ffbaf40 7.1/en/os/i386/openssl-python-0.9.6-13.i386.rpm
49b87abfb69a066756eed6441c226775 7.1/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
279a924595d4fb05d9071174e57e61d5 7.1/en/os/ia64/openssl-0.9.6-13.ia64.rpm
50a5b0b5b5c13eaa4e397a7983839e5c 7.1/en/os/ia64/openssl-devel-0.9.6-13.ia64.rpm
b115c9b4850610940584caf761fd9a86 7.1/en/os/ia64/openssl-perl-0.9.6-13.ia64.rpm
79baeddf64b07b3bfecb1ae71fe110a1 7.1/en/os/ia64/openssl-python-0.9.6-13.ia64.rpm
f6615406c84745284f0e7e9b0d4d0d99 7.1/en/os/ia64/openssl095a-0.9.5a-18.ia64.rpm
a502539af00bf8fc4f184542dbe2a57f 7.2/en/os/SRPMS/openssl-0.9.6b-28.src.rpm
5ef4beb986cb64aaae2cfd5726a03659 7.2/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
79423e3818cf2d6997f440d8878b5b5c 7.2/en/os/SRPMS/openssl096-0.9.6-13.src.rpm
c0a52c85725b1ecff52d9c1372472360 7.2/en/os/i386/openssl-0.9.6b-28.i386.rpm
bdf9826263203f54685e81bb71815fd0 7.2/en/os/i386/openssl-devel-0.9.6b-28.i386.rpm
98fd036fc344c1a058d7d62c0cdbdeef 7.2/en/os/i386/openssl-perl-0.9.6b-28.i386.rpm
49b87abfb69a066756eed6441c226775 7.2/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
f8852fa073d9e6462264c98c694339be 7.2/en/os/i386/openssl096-0.9.6-13.i386.rpm
aec758aeb92b8f6b49365374e7896877 7.2/en/os/i686/openssl-0.9.6b-28.i686.rpm
c95cd939889b64b199fd477d950d1bad 7.2/en/os/ia64/openssl-0.9.6b-28.ia64.rpm
ad2477c7f4b611c7c800eedd8856489a 7.2/en/os/ia64/openssl-devel-0.9.6b-28.ia64.rpm
8e4b14c78ed76602a0e377c7559b0747 7.2/en/os/ia64/openssl-perl-0.9.6b-28.ia64.rpm
f6615406c84745284f0e7e9b0d4d0d99 7.2/en/os/ia64/openssl095a-0.9.5a-18.ia64.rpm
975e5824273ba98163fe9efe841053c5 7.2/en/os/ia64/openssl096-0.9.6-13.ia64.rpm
a502539af00bf8fc4f184542dbe2a57f 7.3/en/os/SRPMS/openssl-0.9.6b-28.src.rpm
5ef4beb986cb64aaae2cfd5726a03659 7.3/en/os/SRPMS/openssl095a-0.9.5a-18.src.rpm
79423e3818cf2d6997f440d8878b5b5c 7.3/en/os/SRPMS/openssl096-0.9.6-13.src.rpm
c0a52c85725b1ecff52d9c1372472360 7.3/en/os/i386/openssl-0.9.6b-28.i386.rpm
bdf9826263203f54685e81bb71815fd0 7.3/en/os/i386/openssl-devel-0.9.6b-28.i386.rpm
98fd036fc344c1a058d7d62c0cdbdeef 7.3/en/os/i386/openssl-perl-0.9.6b-28.i386.rpm
49b87abfb69a066756eed6441c226775 7.3/en/os/i386/openssl095a-0.9.5a-18.i386.rpm
f8852fa073d9e6462264c98c694339be 7.3/en/os/i386/openssl096-0.9.6-13.i386.rpm
aec758aeb92b8f6b49365374e7896877 7.3/en/os/i686/openssl-0.9.6b-28.i686.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>
8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
Copyright(c) 2000, 2001, 2002 Red Hat, Inc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPVJ9Yih9+71yA2DNAQGO6AP9HAyayXT/NGXxiuwtLxycD5OEhRtRFMEY
w025DKYkppleNQ92DRC4cgo69p7LGDb84v16M4dRgjOMPuPGBBIVkEiQcDOX/UGU
LhIGmk2hrQgSLlgJk1h+vxReWCqpyb+X5LqM9f7RS3O1ovf5lvPZRKyCx2wR5bqB
9dC+F3czGlk=
=a5uo
-----END PGP SIGNATURE-----