-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera International, Inc. Security Advisory Subject: Linux: REVISED: multiple vulnerabilities in openssl Advisory number: CSSA-2002-033.1 Issue date: 2002 August 02 Cross reference: ______________________________________________________________________________ 1. Problem Description There are four remotely exploitable buffer overflows that affect various OpenSSL client and server implementations. There are also encoding problems in the ASN.1 library used by OpenSSL. Several of these vulnerabilities could be used by a remote attacker to execute arbitrary code on the target system. All could be used to create denial of service. The original fix for the ASN.1 library was flawed; this update contains a corrected fix. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to openssl-0.9.6-19.i386.rpm prior to openssl-devel-0.9.6-19.i386.rpm prior to openssl-devel-static-0.9.6-19.i386.rpm OpenLinux 3.1.1 Workstation prior to openssl-0.9.6-19.i386.rpm prior to openssl-devel-0.9.6-19.i386.rpm prior to openssl-devel-static-0.9.6-19.i386.rpm OpenLinux 3.1 Server prior to openssl-0.9.6-19.i386.rpm prior to openssl-devel-0.9.6-19.i386.rpm prior to openssl-devel-static-0.9.6-19.i386.rpm OpenLinux 3.1 Workstation prior to openssl-0.9.6-19.i386.rpm prior to openssl-devel-0.9.6-19.i386.rpm prior to openssl-devel-static-0.9.6-19.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.1/RPMS 4.2 Packages 22df8bff398b736e1b38ba1aaa5bbaef openssl-0.9.6-19.i386.rpm 68c37446be713e85419f723b139cb64c openssl-devel-0.9.6-19.i386.rpm 3d103c874131c41839326e8add1cc683 openssl-devel-static-0.9.6-19.i386.rpm 4.3 Installation rpm -Fvh openssl-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-19.i386.rpm 4.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-033.1/SRPMS 4.5 Source Packages 55b063fb13d0826286f4ceb77535bd55 openssl-0.9.6-19.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.1/RPMS 5.2 Packages c2b124ca42616720a481da3f86e5b6ae openssl-0.9.6-19.i386.rpm 48f3383564df05ba5e65a7b69692ba92 openssl-devel-0.9.6-19.i386.rpm bc308e83be75bf22932355b71e2cff33 openssl-devel-static-0.9.6-19.i386.rpm 5.3 Installation rpm -Fvh openssl-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-19.i386.rpm 5.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-033.1/SRPMS 5.5 Source Packages 89f3eb4e39a70cfa0b1772e9fcd4157e openssl-0.9.6-19.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.1/RPMS 6.2 Packages 30c43900b41ce6acf9af0e39e3bfd6a7 openssl-0.9.6-19.i386.rpm 4727db07cf959a662064f672d7f2ae48 openssl-devel-0.9.6-19.i386.rpm 0da797fff6058f796a3c12e913faefeb openssl-devel-static-0.9.6-19.i386.rpm 6.3 Installation rpm -Fvh openssl-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-19.i386.rpm 6.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-033.1/SRPMS 6.5 Source Packages e71851a01fcd943dba6733380ed5b3eb openssl-0.9.6-19.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.1/RPMS 7.2 Packages c94d414ff4eb638557973b0b3a01688f openssl-0.9.6-19.i386.rpm 648c8164c39df796655b0633944e8c2c openssl-devel-0.9.6-19.i386.rpm be867f6b0a222cc05a30660d794260e7 openssl-devel-static-0.9.6-19.i386.rpm 7.3 Installation rpm -Fvh openssl-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-0.9.6-19.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-19.i386.rpm 7.4 Source Package Location ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-033.1/SRPMS 7.5 Source Packages 14dcfd7e1abfabc9a20e16a678a2024e openssl-0.9.6-19.src.rpm 8. References Specific references for this advisory: http://www.openssl.org/news/secadv_20020730.txt http://www.cert.org/advisories/CA-2002-23.html Caldera security resources: http://www.caldera.com/support/security/index.html This security fix closes Caldera incidents sr867369, fz525695, erg501640. 9. Disclaimer Caldera International, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera products. 10. Acknowledgements These vulnerabilities were discovered and reported by the following: A.L. Digital Ltd, John McDonald of Neohapsis, Adi Stav, James Yonan. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj1LFP4ACgkQbluZssSXDTGPQgCg9Axw89bQ0Wc9Bmejgh/12zN9 7e4An1DCfoCCjn+aAs7k6KoTYKpP/HjX =aKZA -----END PGP SIGNATURE-----