Yellow Dog Linux Security Advisory: YDU-20020810-1
Dan Burcaw
yellowdog-updates@lists.terrasoftsolutions.com
Sat, 10 Aug 2002 00:53:54 -0600 (MDT)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: openssl
Issue Date: August 10, 2002
Priority: high
Advisory ID: YDU-20020810-1
1. Topic:
Updated openssl packages are available.
2. Problem:
"Updated OpenSSL packages are available for [Yellow Dog Linux 2.2 and 2.3].
These updates fix multiple protocol parsing bugs which may be used in
a denial of service (DoS) attack or cause SSL-enabled applications to
crash.
OpenSSL is a commercial-grade, full-featured, and open source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.
Portions of the SSL protocol data stream, which include the lengths of
structures which are being transferred, may not be properly validated. This
may allow a malicious server or client to cause an affected application to
crash or enter an infinite loop, which can be used as a denial of service
(DoS) attack if the application is a server. It has not been verified if
this issue could lead to further consequences such as remote code execution.
These errata packages contain a patch to correct this vulnerability.
Please note that the original patch from the OpenSSL team had a mistake in
it which could possibly still allow buffer overflows to occur. This bug is
also fixed in these errata packages."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install openssl
b) Updating manually...
Download the updates below for your version of Yellow Dog Linux
and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
Yellow Dog Linux 2.3
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/openssl-*0.9.6b-28.2.3a.ppc.rpm
Yellow Dog Linux 2.2
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/
ppc/openssl-*0.9.6b-28.2.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
[Yellow Dog Linux 2.3]
cdd3d8183b4555b6252d12ba6d658215 SRPMS/openssl-0.9.6b-28.2.3a.src.rpm
d647520d9968c7a023a1ca417a1c92f3 ppc/openssl-0.9.6b-28.2.3a.ppc.rpm
2847ad257b470e91eba27bc3dba2f4e5 ppc/openssl-devel-0.9.6b-28.2.3a.ppc.rpm
ae108045dc2dcec6655d891ac279efcd ppc/openssl-perl-0.9.6b-28.2.3a.ppc.rpm
[Yellow Dog Linux 2.2]
18488aa0876643af668cbc2a023f2b1b SRPMS/openssl-0.9.6b-28.2.2a.src.rpm
c447475cfee9bc1794735a911da6efc9 ppc/openssl-0.9.6b-28.2.2a.ppc.rpm
b742657e3db3a382c495d6d469618d8d ppc/openssl-devel-0.9.6b-28.2.2a.ppc.rpm
5933ef7a57c7fc51c8cb429c3b6a791b ppc/openssl-perl-0.9.6b-28.2.2a.ppc.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml