Yellow Dog Linux Security Advisory: YDU-20020801-3

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Thu, 1 Aug 2002 16:08:08 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	openssl
Issue Date: 	August 1, 2002	
Priority:	high	
Advisory ID: 	YDU-20020801-3


1. 	Topic:

	Updated openssl packages are available.


2. 	Problem:

	"OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which
	implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
	Security (TLS v1) protocols as well as a full-strength general purpose
	cryptography library. A security audit of the OpenSSL code sponsored by
	DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7
	and 0.9.6d and earlier:

	1. The master key supplied by a client to an SSL version 2 server could be
	oversized, causing a stack-based buffer overflow. This issue is remotely
	exploitable. Services that have SSLv2 disabled would not be vulnerable to
	this issue. (CAN-2002-0656)

	2. The SSLv3 session ID supplied to a client from a malicious server could
	be oversized and overrun a buffer. This issue looks to be remotely
	exploitable. (CAN-2002-0656)

	3. Various buffers used for storing ASCII representations of integers were
	too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)

	A further issue was found in OpenSSL 0.9.7 that does not affect versions of
	OpenSSL shipped with [Yellow Dog] Linux] (CAN-2002-0657)."
	(from Red Hat Advisory)


3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install openssl

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
			  	ppc/openssl-0.9.6b-24.2.3a.ppc.rpm
				ppc/openssl-devel-0.9.6b-24.2.3a.ppc.rpm
				ppc/openssl-perl-0.9.6b-24.2.3a.ppc.rpm

		Yellow Dog Linux 2.2
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
			  	ppc/openssl-0.9.6b-24.2.2a.ppc.rpm
				ppc/openssl-devel-0.9.6b-24.2.2a.ppc.rpm
				ppc/openssl-perl-0.9.6b-24.2.2a.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
c68d3c44c71ca7a2c75e39257cea11d7  ppc/openssl-0.9.6b-24.2.3a.ppc.rpm
0df78f0f70155f4df1f2cffffe6ea719  ppc/openssl-devel-0.9.6b-24.2.3a.ppc.rpm
004227209911f8ce7e98a22add3d4dae  ppc/openssl-perl-0.9.6b-24.2.3a.ppc.rpm
724040281351547d196eb10647c36394  SRPMS/openssl-0.9.6b-24.2.3a.src.rpm

[Yellow Dog Linux 2.2]
811e4ccd53f23a2e45fff400e022397a  ppc/openssl-0.9.6b-24.2.2a.ppc.rpm
604fb255a92429f00822330983c6c930  ppc/openssl-devel-0.9.6b-24.2.2a.ppc.rpm
40758a9d22d5eae5ff85ef1ba22724aa  ppc/openssl-perl-0.9.6b-24.2.2a.ppc.rpm
5a1188c421726e27868882398b583245  SRPMS/openssl-0.9.6b-24.2.2a.src.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml