-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: mod_ssl Buffer Overflow Condition Advisory number: CSSA-2002-011.0 Issue date: 2002, March 18 Cross reference: ______________________________________________________________________________ 1. Problem Description modssl uses underlying OpenSSL routines in a manner which could cause a buffer overflow. 2. Vulnerable Supported Versions System Package ----------------------------------------------------------- OpenLinux Server 3.1 All packages previous to mod_ssl-2.8.5_1.3.22-2 OpenLinux Workstation 3.1 All packages previous to mod_ssl-2.8.5_1.3.22-2 OpenLinux Server 3.1.1 All packages previous to mod_ssl-2.8.5_1.3.22-2 OpenLinux Workstation All packages previous to 3.1.1 mod_ssl-2.8.5_1.3.22-2 3. Solution Workaround none The proper solution is to upgrade to the latest packages. 4. OpenLinux 3.1 Server 4.1 Location of Fixed Packages The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released. 5. OpenLinux 3.1 Workstation 5.1 Location of Fixed Packages The 3.1 version of this package is not yet available. An updated advisory will be published when the package is released. 6. OpenLinux 3.1.1 Server 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS 6.2 Verification 64223d2995fd5501b440d14d9af35359 RPMS/mod_ssl-2.8.5_1.3.22-2.i386.rpm f45c83a03d7fa38825645d551d5a1489 RPMS/mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm 57ad82f8f53b9745929002b06d8e26da SRPMS/mod_ssl-2.8.5_1.3.22-2.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh mod_ssl-2.8.5_1.3.22-2.i386.rpm \ mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm 7. OpenLinux 3.1.1 Workstation 7.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS 7.2 Verification 64223d2995fd5501b440d14d9af35359 RPMS/mod_ssl-2.8.5_1.3.22-2.i386.rpm f45c83a03d7fa38825645d551d5a1489 RPMS/mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm 57ad82f8f53b9745929002b06d8e26da SRPMS/mod_ssl-2.8.5_1.3.22-2.src.rpm 7.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh mod_ssl-2.8.5_1.3.22-2.i386.rpm \ mod_ssl-sxnet-2.8.5_1.3.22-2.i386.rpm 8. References Specific references for this advisory: none Caldera OpenLinux security resources: http://www.caldera.com/support/security/index.html Caldera UNIX security resources: http://stage.caldera.com/support/security/ This security fix closes Caldera incidents sr861039, erg711978, fz520252. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera International products. 10. Acknowledgements Ed Moyle discovered and researched this vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyhBrcACgkQbluZssSXDTGgaACfR/qPCL/NyY3joOoqSMWSHXmN vXYAoNdCD3SMlB31V1RQkKknsJag32IH =P2Iy -----END PGP SIGNATURE-----