Risks
Advisories
Browse
or
or
Red Hat Security Advisory - Updated openssl packages fix remote vulnerabilities
--------------------------------------------------------------------- 
                   Red Hat, Inc. Red Hat Security Advisory 


Synopsis: Updated openssl packages fix remote vulnerabilities 
Advisory ID: RHSA-2002:155-11 
Issue date: 2002-07-25 
Updated on: 2002-07-29 
Product: Red Hat Linux 
Keywords: OpenSSL master session key 
Cross references: 
Obsoletes: RHSA-2001:051 
CVE Names: CAN-2002-0655 CAN-2002-0656 
--------------------------------------------------------------------- 


1. Topic: 


Updated OpenSSL packages are available which fix several serious buffer 
overflow vulnerabilities. 


2. Relevant releases/architectures: 


Red Hat Linux 6.2 - alpha, i386, sparc 


Red Hat Linux 7.0 - alpha, i386 


Red Hat Linux 7.1 - alpha, i386, ia64 


Red Hat Linux 7.2 - i386, i686, ia64 


Red Hat Linux 7.3 - i386, i686 


3. Problem description: 


OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which 
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer 
Security (TLS v1) protocols as well as a full-strength general purpose 
cryptography library. A security audit of the OpenSSL code sponsored by 
DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7 
and 0.9.6d and earlier: 


1. The master key supplied by a client to an SSL version 2 server could be 
oversized, causing a stack-based buffer overflow. This issue is remotely 
exploitable. Services that have SSLv2 disabled would not be vulnerable to 
this issue. (CAN-2002-0656) 


2. The SSLv3 session ID supplied to a client from a malicious server could 
be oversized and overrun a buffer. This issue looks to be remotely 
exploitable. (CAN-2002-0656) 


3. Various buffers used for storing ASCII representations of integers were 
too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655) 


A further issue was found in OpenSSL 0.9.7 that does not affect versions of 
OpenSSL shipped with Red Hat Linux (CAN-2002-0657). 


A large number of applications within Red Hat Linux make use the OpenSSL 
library to provide SSL support. All users are therefore advised to upgrade 
to the errata OpenSSL packages, which contain patches to correct these 
vulnerabilities. 


NOTE: 


Please read the Solution section below as it contains instructions for 
making sure that all SSL-enabled processes are restarted after the update 
is applied. 


Thanks go to the OpenSSL team and Ben Laurie for providing patches for 
these issues. 


4. Solution: 


IMPORTANT: 


Because both client and server applications are affected by these 
vulnerabilities, we advise users to reboot their systems after installing 
these updates. 


Before applying this update, make sure all previously released errata 
relevant to your system have been applied. 


To update all RPMs for your particular architecture, run: 


rpm -Fvh [filenames] 


where [filenames] is a list of the RPMs you wish to upgrade. Only those 
RPMs which are currently installed will be updated. Those RPMs which are 
not installed but included in the list will not be updated. Note that you 
can also use wildcards (*.rpm) if your current directory *only* contains 
the desired RPMs. 


Please note that this update is also available via Red Hat Network. Many 
people find this an easier way to apply updates. To use Red Hat Network, 
launch the Red Hat Update Agent with the following command: 


up2date 


This will start an interactive process that will result in the appropriate 
RPMs being upgraded on your system. 


5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 




6. RPMs required: 


Red Hat Linux 6.2: 


SRPMS: 
ftp://updates.redhat.com/6.2/en/os/SRPMS/openssl-0.9.5a-26.src.rpm 


alpha: 
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-0.9.5a-26.alpha.rpm 
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-devel-0.9.5a-26.alpha.rpm 
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-perl-0.9.5a-26.alpha.rpm 
ftp://updates.redhat.com/6.2/en/os/alpha/openssl-python-0.9.5a-26.alpha.rpm 


i386: 
ftp://updates.redhat.com/6.2/en/os/i386/openssl-0.9.5a-26.i386.rpm 
ftp://updates.redhat.com/6.2/en/os/i386/openssl-devel-0.9.5a-26.i386.rpm 
ftp://updates.redhat.com/6.2/en/os/i386/openssl-perl-0.9.5a-26.i386.rpm 
ftp://updates.redhat.com/6.2/en/os/i386/openssl-python-0.9.5a-26.i386.rpm 


sparc: 
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-0.9.5a-26.sparc.rpm 
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-devel-0.9.5a-26.sparc.rpm 
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-perl-0.9.5a-26.sparc.rpm 
ftp://updates.redhat.com/6.2/en/os/sparc/openssl-python-0.9.5a-26.sparc.rpm 


Red Hat Linux 7.0: 


SRPMS: 
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
ftp://updates.redhat.com/7.0/en/os/SRPMS/openssl-0.9.6-10.src.rpm 


alpha: 
ftp://updates.redhat.com/7.0/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.0/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 


i386: 
ftp://updates.redhat.com/7.0/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
ftp://updates.redhat.com/7.0/en/os/i386/openssl-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.0/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.0/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.0/en/os/i386/openssl-python-0.9.6-10.i386.rpm 


Red Hat Linux 7.1: 


SRPMS: 
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
ftp://updates.redhat.com/7.1/en/os/SRPMS/openssl-0.9.6-10.src.rpm 


alpha: 
ftp://updates.redhat.com/7.1/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 
ftp://updates.redhat.com/7.1/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 


i386: 
ftp://updates.redhat.com/7.1/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
ftp://updates.redhat.com/7.1/en/os/i386/openssl-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.1/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.1/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 
ftp://updates.redhat.com/7.1/en/os/i386/openssl-python-0.9.6-10.i386.rpm 


ia64: 
ftp://updates.redhat.com/7.1/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm 
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-0.9.6-10.ia64.rpm 
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-devel-0.9.6-10.ia64.rpm 
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-perl-0.9.6-10.ia64.rpm 
ftp://updates.redhat.com/7.1/en/os/ia64/openssl-python-0.9.6-10.ia64.rpm 


Red Hat Linux 7.2: 


SRPMS: 
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl096-0.9.6-9.src.rpm 
ftp://updates.redhat.com/7.2/en/os/SRPMS/openssl-0.9.6b-24.src.rpm 


i386: 
ftp://updates.redhat.com/7.2/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
ftp://updates.redhat.com/7.2/en/os/i386/openssl096-0.9.6-9.i386.rpm 
ftp://updates.redhat.com/7.2/en/os/i386/openssl-0.9.6b-24.i386.rpm 
ftp://updates.redhat.com/7.2/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 
ftp://updates.redhat.com/7.2/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 


i686: 
ftp://updates.redhat.com/7.2/en/os/i686/openssl-0.9.6b-24.i686.rpm 


ia64: 
ftp://updates.redhat.com/7.2/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm 
ftp://updates.redhat.com/7.2/en/os/ia64/openssl096-0.9.6-9.ia64.rpm 
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-0.9.6b-24.ia64.rpm 
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-devel-0.9.6b-24.ia64.rpm 
ftp://updates.redhat.com/7.2/en/os/ia64/openssl-perl-0.9.6b-24.ia64.rpm 


Red Hat Linux 7.3: 


SRPMS: 
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl096-0.9.6-9.src.rpm 
ftp://updates.redhat.com/7.3/en/os/SRPMS/openssl-0.9.6b-24.src.rpm 


i386: 
ftp://updates.redhat.com/7.3/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
ftp://updates.redhat.com/7.3/en/os/i386/openssl096-0.9.6-9.i386.rpm 
ftp://updates.redhat.com/7.3/en/os/i386/openssl-0.9.6b-24.i386.rpm 
ftp://updates.redhat.com/7.3/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 
ftp://updates.redhat.com/7.3/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 


i686: 
ftp://updates.redhat.com/7.3/en/os/i686/openssl-0.9.6b-24.i686.rpm 




7. Verification: 


MD5 sum Package Name 
-------------------------------------------------------------------------- 
61c1681e13328fe5cc5de13003cecbfa 6.2/en/os/SRPMS/openssl-0.9.5a-26.src.rpm 
b5a092d4197eabfaefeed4d260d1b98e 6.2/en/os/alpha/openssl-0.9.5a-26.alpha.rpm 
711624c0394b7c0fca42750726d32f3d 6.2/en/os/alpha/openssl-devel-0.9.5a-26.alpha.rpm 
76d65cd6d29616fd9933912b09bede48 6.2/en/os/alpha/openssl-perl-0.9.5a-26.alpha.rpm 
267eb03ac96a182b9fa11a5ba3b9389d 6.2/en/os/alpha/openssl-python-0.9.5a-26.alpha.rpm 
b99f516e99f7b0b90feea4cd0fb1edab 6.2/en/os/i386/openssl-0.9.5a-26.i386.rpm 
0ffd8b3d708b8fdcc6bc6ae91f3d1940 6.2/en/os/i386/openssl-devel-0.9.5a-26.i386.rpm 
b9db1140f4806ec3f4f1a832aad21afc 6.2/en/os/i386/openssl-perl-0.9.5a-26.i386.rpm 
388b3147b88607bb47b563532b4ff155 6.2/en/os/i386/openssl-python-0.9.5a-26.i386.rpm 
810e6131fee818819213d326c596719b 6.2/en/os/sparc/openssl-0.9.5a-26.sparc.rpm 
9ab8a7b059a198837cad649e7c4b1f92 6.2/en/os/sparc/openssl-devel-0.9.5a-26.sparc.rpm 
e4ab888ccd8200c66de485408b3518b9 6.2/en/os/sparc/openssl-perl-0.9.5a-26.sparc.rpm 
305e69febe8751a6839324593be55087 6.2/en/os/sparc/openssl-python-0.9.5a-26.sparc.rpm 
6a1a51baec50250feb6a7df0914c086d 7.0/en/os/SRPMS/openssl-0.9.6-10.src.rpm 
ddd832b579f5f92234fd3bdc0088585c 7.0/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
80e27f1105c86ad37f47ed9c6da01e75 7.0/en/os/alpha/openssl-0.9.6-10.alpha.rpm 
fe5999b2892ef3af48707a0900d24741 7.0/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 
7f0ad5a594254071c63d46c554a73cfe 7.0/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 
30fb55bf1ff5f8113fe4fce2907db6de 7.0/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 
2c67e47754d3c46828a46b858d5227e5 7.0/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 
9b9780f4124111d800cbc698f601eed4 7.0/en/os/i386/openssl-0.9.6-10.i386.rpm 
d81f3d47b8d725bb71ad7809c81e0486 7.0/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 
776c915db7a72e5f22cdffadfb56f2c9 7.0/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 
1c916fb95c1b8f9c44840667a4aea2cd 7.0/en/os/i386/openssl-python-0.9.6-10.i386.rpm 
9f4ddecdbc78517f7e43648132c9873a 7.0/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
6a1a51baec50250feb6a7df0914c086d 7.1/en/os/SRPMS/openssl-0.9.6-10.src.rpm 
ddd832b579f5f92234fd3bdc0088585c 7.1/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
80e27f1105c86ad37f47ed9c6da01e75 7.1/en/os/alpha/openssl-0.9.6-10.alpha.rpm 
fe5999b2892ef3af48707a0900d24741 7.1/en/os/alpha/openssl-devel-0.9.6-10.alpha.rpm 
7f0ad5a594254071c63d46c554a73cfe 7.1/en/os/alpha/openssl-perl-0.9.6-10.alpha.rpm 
30fb55bf1ff5f8113fe4fce2907db6de 7.1/en/os/alpha/openssl-python-0.9.6-10.alpha.rpm 
2c67e47754d3c46828a46b858d5227e5 7.1/en/os/alpha/openssl095a-0.9.5a-14.alpha.rpm 
9b9780f4124111d800cbc698f601eed4 7.1/en/os/i386/openssl-0.9.6-10.i386.rpm 
d81f3d47b8d725bb71ad7809c81e0486 7.1/en/os/i386/openssl-devel-0.9.6-10.i386.rpm 
776c915db7a72e5f22cdffadfb56f2c9 7.1/en/os/i386/openssl-perl-0.9.6-10.i386.rpm 
1c916fb95c1b8f9c44840667a4aea2cd 7.1/en/os/i386/openssl-python-0.9.6-10.i386.rpm 
9f4ddecdbc78517f7e43648132c9873a 7.1/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
0c246f63818de647a1b1810187c13381 7.1/en/os/ia64/openssl-0.9.6-10.ia64.rpm 
5966099d03ba051a1784f7eba666815b 7.1/en/os/ia64/openssl-devel-0.9.6-10.ia64.rpm 
30d8263af19b234b1ff6b48915a4760d 7.1/en/os/ia64/openssl-perl-0.9.6-10.ia64.rpm 
0eb73d5aa9c2a0f693ff8c60bf4a9321 7.1/en/os/ia64/openssl-python-0.9.6-10.ia64.rpm 
5e6e3c534cac94d57e14fae37f213333 7.1/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm 
93ab0985d11a15fe39e24a548b1885e6 7.2/en/os/SRPMS/openssl-0.9.6b-24.src.rpm 
ddd832b579f5f92234fd3bdc0088585c 7.2/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
449151345e809f531c316cb9d1df033b 7.2/en/os/SRPMS/openssl096-0.9.6-9.src.rpm 
c181eab20db43421e20a0e5cd18a1b0d 7.2/en/os/i386/openssl-0.9.6b-24.i386.rpm 
b74adb3f6208aeddfda7d1b1f0063802 7.2/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 
189345f3cee952484fcd2a40246aa28b 7.2/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 
9f4ddecdbc78517f7e43648132c9873a 7.2/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
c37591c97b216af1290cfcc82e74abb3 7.2/en/os/i386/openssl096-0.9.6-9.i386.rpm 
0189237bd50fc00fb777cd782aa70e2e 7.2/en/os/i686/openssl-0.9.6b-24.i686.rpm 
a5e045a90bf2fae63b9fd7c7a7ed265b 7.2/en/os/ia64/openssl-0.9.6b-24.ia64.rpm 
1c047ebddc6b5bad180bba5eb6549f63 7.2/en/os/ia64/openssl-devel-0.9.6b-24.ia64.rpm 
2e96f756ac9fab96db2e2e672f11b62b 7.2/en/os/ia64/openssl-perl-0.9.6b-24.ia64.rpm 
5e6e3c534cac94d57e14fae37f213333 7.2/en/os/ia64/openssl095a-0.9.5a-14.ia64.rpm 
e402bc51ebe69e9e18132a29f1555c15 7.2/en/os/ia64/openssl096-0.9.6-9.ia64.rpm 
93ab0985d11a15fe39e24a548b1885e6 7.3/en/os/SRPMS/openssl-0.9.6b-24.src.rpm 
ddd832b579f5f92234fd3bdc0088585c 7.3/en/os/SRPMS/openssl095a-0.9.5a-14.src.rpm 
449151345e809f531c316cb9d1df033b 7.3/en/os/SRPMS/openssl096-0.9.6-9.src.rpm 
c181eab20db43421e20a0e5cd18a1b0d 7.3/en/os/i386/openssl-0.9.6b-24.i386.rpm 
b74adb3f6208aeddfda7d1b1f0063802 7.3/en/os/i386/openssl-devel-0.9.6b-24.i386.rpm 
189345f3cee952484fcd2a40246aa28b 7.3/en/os/i386/openssl-perl-0.9.6b-24.i386.rpm 
9f4ddecdbc78517f7e43648132c9873a 7.3/en/os/i386/openssl095a-0.9.5a-14.i386.rpm 
c37591c97b216af1290cfcc82e74abb3 7.3/en/os/i386/openssl096-0.9.6-9.i386.rpm 
0189237bd50fc00fb777cd782aa70e2e 7.3/en/os/i686/openssl-0.9.6b-24.i686.rpm 
  


These packages are GPG signed by Red Hat, Inc. for security. Our key 
is available at: 
    http://www.redhat.com/about/contact/pgpkey.html 


You can verify each package with the following command: 
    rpm --checksig <filename> 


If you only wish to verify that each package has not been corrupted or 
tampered with, examine only the md5sum with the following command: 
    rpm --checksig --nogpg <filename> 


8. References: 



http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 




Copyright(c) 2000, 2001, 2002 Red Hat, Inc. 




Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //