linux, säkerhet

8790755 2002-07-30 17:09 +0200  /72 rader/ Daniel Ahlberg <aliz@gentoo.org>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-30  17:39  av Brevbäraren
Extern mottagare: gentoo-security@gentoo.org
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <23358>
Ärende: GLSA: OpenSSL
------------------------------------------------------------
From: Daniel Ahlberg <aliz@gentoo.org>
To: gentoo-security@gentoo.org
Cc: bugtraq@securityfocus.com
Message-ID: <200207301709.46925.aliz@gentoo.org>

- -------------------------------------------------------------------- 
GENTOO LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------

PACKAGE        :openssl
SUMMARY        :denial of service / remote root exploit
DATE           :2002-07-30 16:15:00

- --------------------------------------------------------------------

OVERVIEW
 
Multiple potentially remotely exploitable vulnerabilities has been
found in  OpenSSL.

DETAIL

1. The client master key in SSL2 could be oversized and overrun a
    buffer. This vulnerability was also independently discovered by
    consultants at Neohapsis (http://www.neohapsis.com/) who have also
    demonstrated that the vulerability is exploitable. Exploit code is
    NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
    overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
    overrun a stack-based buffer. This issues only affects OpenSSL
    0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
    small on 64 bit platforms.

The full advisory can be read at 
http://www.openssl.org/news/secadv_20020730.txt

SOLUTION

It is recommended that all Gentoo Linux users update their systems as
follows.

emerge --clean rsync
emerge openssl
emerge clean

After the installation of the updated OpenSSL you should restart the
services  that uses OpenSSL, which include such common services as
OpenSSH, SSL-Enabled  POP3, IMAP, and SMTP servers, and
stunnel-wrapped services as well.

Also, if you have an application that is statically linked to openssl
you will  need to reemerge that application to build it against the
new OpenSSL.
 
- --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
- --------------------------------------------------------------------
(8790755) /Daniel Ahlberg <aliz@gentoo.org>/(Ombruten)