Yellow Dog Linux Security Advisory: YDU-20020810-1

Dan Burcaw yellowdog-updates@lists.terrasoftsolutions.com
Sat, 10 Aug 2002 00:53:54 -0600 (MDT) 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	openssl
Issue Date: 	August 10, 2002	
Priority:	high	
Advisory ID: 	YDU-20020810-1


1. 	Topic:

	Updated openssl packages are available.


2. 	Problem:

	"Updated OpenSSL packages are available for [Yellow Dog Linux 2.2 and 2.3]. 
	These updates fix multiple protocol parsing bugs which may be used in
	a denial of service (DoS) attack or cause SSL-enabled applications to
	crash.

	OpenSSL is a commercial-grade, full-featured, and open source toolkit which
	implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
	Security (TLS v1) protocols as well as a full-strength general purpose
	cryptography library.

	Portions of the SSL protocol data stream, which include the lengths of
	structures which are being transferred, may not be properly validated. This
	may allow a malicious server or client to cause an affected application to
	crash or enter an infinite loop, which can be used as a denial of service
	(DoS) attack if the application is a server. It has not been verified if
	this issue could lead to further consequences such as remote code execution.

	These errata packages contain a patch to correct this vulnerability.
	Please note that the original patch from the OpenSSL team had a mistake in
	it which could possibly still allow buffer overflows to occur. This bug is
	also fixed in these errata packages."
	(from Red Hat Advisory)

3. 	Solution:

   	a) Updating via apt...
   	We suggest that you use the apt-get program to keep your
   	system up-to-date. The following command(s) will retrieve
   	and install the fixed version of this update onto your system:

		apt-get update
		apt-get install openssl

   	b) Updating manually...
	Download the updates below for your version of Yellow Dog Linux
	and then run the following rpm command.
   	(Please use a mirror site)

		rpm -Fvh [filenames]

		Yellow Dog Linux 2.3
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
				ppc/openssl-*0.9.6b-28.2.3a.ppc.rpm

		Yellow Dog Linux 2.2
			  ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
				ppc/openssl-*0.9.6b-28.2.2a.ppc.rpm
			  	

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
[Yellow Dog Linux 2.3]
cdd3d8183b4555b6252d12ba6d658215  SRPMS/openssl-0.9.6b-28.2.3a.src.rpm
d647520d9968c7a023a1ca417a1c92f3  ppc/openssl-0.9.6b-28.2.3a.ppc.rpm
2847ad257b470e91eba27bc3dba2f4e5  ppc/openssl-devel-0.9.6b-28.2.3a.ppc.rpm
ae108045dc2dcec6655d891ac279efcd  ppc/openssl-perl-0.9.6b-28.2.3a.ppc.rpm

[Yellow Dog Linux 2.2]
18488aa0876643af668cbc2a023f2b1b  SRPMS/openssl-0.9.6b-28.2.2a.src.rpm
c447475cfee9bc1794735a911da6efc9  ppc/openssl-0.9.6b-28.2.2a.ppc.rpm
b742657e3db3a382c495d6d469618d8d  ppc/openssl-devel-0.9.6b-28.2.2a.ppc.rpm
5933ef7a57c7fc51c8cb429c3b6a791b  ppc/openssl-perl-0.9.6b-28.2.2a.ppc.rpm

I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml