What is the OpenSSL 0.9.8yDd package? KEYWORDS: OpenServer 600 6.0.0 osr6 6V 600v maintenance pack 4 mp4 openssl security secure socket layer libraries 098y 98y RELEASE: SCO OpenServer Release 6.0.0, with Maintenance Pack 4 OpenServer 6V PROBLEM: What problems are fixed by OpenSSL 0.9.8y? SOLUTION: OpenSSL 0.9.8y addresses these security issues: CVE-2013-0166 - Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. CVE-2012-2333 - Sanity check record length before skipping explicit IV in DTLS to fix DoS attack. CVE-2012-2131 - Fix of potentially exploitable buffer overflows. CVE-2012-2110 - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c, did not properly interpret integer data CVE-2012-0884 - The implementation of Cryptographic Message Syntax (CMS) and PKCS #7, did not properly restrict certain oracle behavior CVE-2012-0050 - Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. CVE-2011-4619 - Only allow one SGC handshake restart for SSL/TLS. CVE-2011-4577 - Prevent malformed RFC3779 data triggering an assertion failure. CVE-2011-4576 - Clear bytes used for block padding of SSL 3.0 records. CVE-2011-4109 - Stop policy check failure freeing same buffer twice. CVE-2011-4108 - The DTLS implementation only performed a MAC check if certain padding was valid. CVE-2011-0014 - Fix parsing of OCSP stapling ClientHello extension. CVE-2010-4252 - Fixed J-PAKE implementation error which constituted a security issue CVE-2010-4180 - Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. CVE-2010-3864 - Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability. CVE-2010-0742 - Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice. CVE-2010-0740 - The ssl3_get_record function in ssl/s3_pkt.c, allowed a DoS attack. CVE-2010-0433 - some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). CVE-2008-1678 CVE-2009-4355 - Correct some significant per-connection memory leaks that lead to these CVEs. CVE-2009-3555 - Disable renegotiation completely - this fixes a severe security problem CVE-2009-3245 - Always check bn_wexpend() return values for failure. CVE-2009-1386 - Fix NULL pointer dereference if a DTLS server received ChangeCipherSpec as first record. CVE-2009-1379 - Fix for a DoS attack. CVE-2009-1378 - Fix for a DoS attack. CVE-2009-1377 - Fix for a DoS attack. CVE-2009-0789 - Fix for a Dos attack. CVE-2009-0591 - Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. CVE-2009-0590 - Fix for a DoS attack. CVE-2008-5077 - Properly check EVP_VerifyFinal() and similar return values. CVE-2008-1672 - Fix a flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a cilent crash. CVE-2008-0891 - Fix double free in TLS server name extensions which could lead to a remote crash. CVE-2007-5135 - Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was not complete and could lead to a possible single byte overflow. This supplement can be installed on the following OpenServer releases: SCO OpenServer Release 6.0.0 with Maintenance Pack 4 OpenServer 6V ---------------------------------------------------------- I. Software Notes and Recommendations 1. If you have any questions concerning this supplement, please contact your software supplier or your Xinuos Support Representative. ---------------------------------------------------------- II. Installation Instructions To install OpenSSL 0.9.8yDd, follow these steps: 1. Login as root. 2. Create an empty directory, such as /tmp/OpenSSL.0.9.8yDd, to which the supplement will be downloaded. 3. Download OpenSSL-0.9.8yDd-VOLS.tar and save it to the directory created in step 2. 4. After the download is complete, change to the directory containing the OpenSSL-0.9.8yDd-VOLS.tar file, and run the following to extract the media image files: # tar xvf OpenSSL-0.9.8yDd-VOLS.tar 5. Run the Software Manager with the command: # scoadmin software 6. Pull down the "Software" menu and select "Install New". 7. When prompted for the host from which to install, choose the local machine and then "Continue". 8. In the "Select Media" menu, pull down the "Media Device" menu. Select "Media Images", then choose "Continue". 9. When prompted for the "Image Directory", enter the name of the directory created in step 2 and choose "OK". 10. When prompted to select software to install, make sure that the entry for "OpenSSL version 0.9.8y (ver 0.9.8yDd)" is highlighted. Choose "Install". 11. Under "Upgrading Components Warning", select "Leave replaced components on hard disk (loaded only)." Doing so will allow you to revert to the previous version if you remove this supplement later. If you skip this step, then removing the supplement later will leave you without a working OpenSSL package. If necessary, this can be remedied by reinstalling the OpenSSL package inside the "Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce)" component from Maintenance Pack 4 or one of the previously released supplements. 12. Choose "Continue." 13. Installation of OpenSSL 0.9.8y will now proceed. Once it's completed, select "OK." 14. To exit the Software Manager, select "Exit" from the "Host" menu. 15. Once the installation has completed, you can remove or archive the downloaded tar file, the media image files, and the containing directory created in step 2. 16. There is no need to reboot the system for this package. ---------------------------------------------------------- III. Removal Instructions Note: These instructions will remove OpenSSL 0.9.8y package. They will also restore the previously installed version of OpenSSL provided you selected "Leave replaced components on hard disk (loaded only)" in step 12 of the Installation Instructions above. 1. Log in as root. 2. Execute the command: # scoadmin software 3. Highlight the entry for "OpenSSL version 0.9.8y (ver 0.9.8yDd)" and make sure nothing else is highlighted. 5. Pull down the "Software" menu and select "Remove Software". 6. In the windows labeled "Confirm Selected Software," make sure that "OpenSSL version 0.9.8y (ver 0.9.8yDd)" is shown and select "Remove." 7. Removal of OpenSSL 0.9.8yDd will now proceed. Once it's completed, select "OK." Note: The rest of this procedure assumes that you kept the prior OpenSSL version loaded as described above in Step 12 of the Installation Instructions. If you did not do this then you will need to reinstall the OpenSSL 0.9.8eDa package from within the Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce) from OpenServer 6.0.0 Maintenance Pack 4. 8. Pull down the "Software" menu and select "Install New". 9. When prompted for the host from which to install, choose the local machine and then "Continue". 10. In the "Select Media" menu, pull down the "Media Device" menu. Select "Loaded Software", then choose "Continue". 11. When prompted to select software to install: If reverting back to version 0.9.8eDa in Maintenance Pack 4: i. Move the cursor down to "SCO OpenServer Release 6.0.0 Maintenance Pack 4 (ver 1.0.0Ce)" and hit to show loaded components from Maintenance Pack 4. ii. Move the cursor down to "Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce)" and hit to show subpackages from this component. iii. Move the cursor down to "OpenSSL (ver 0.9.8eDa)" and hit to highlight it. iv. Make sure no other entries are highlighted. 12. Choose "Install." 13. Installation of OpenSSL 0.9.8e will now proceed. Once it's completed, select "OK." 14. To exit the Software Manager, select "Exit" from the "Host" menu.