[yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20010725-20

Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDU-20010725-20
dburcaw@newhope.terraplex.com
Date: Thu Aug 09 2001 - 20:32:36 MDT

Yellow Dog Linux Security Announcement
--------------------------------------

Package: openssl
Issue Date: July 25, 2001
Priority: high
Advisory ID: YDU-20010725-20

1. Topic:

        Several security vulnerabilities were
        discovered in the OpenSSL software.

2. Problem:

        "Versions of OpenSSL prior to 0.9.6a suffer from potential security
        problems. These include potential leakage of information after SSL
        version 3 key exchanges, imperfect distribution of random numbers used
        when generating signatures, honoring of sensitive environment variables
        in library functions in setuid or setgid applications, and not taking
        precautions to counter effects of potential hardware glitches when
        generating digital signatures.

        A flaw has also been found in the pseudo-random number generator used
        in versions of OpenSSL prior to 0.9.6b. The OpenSSL Project Team has
        released a patch which corrects this problem."
        (from Red Hat's security advisory)

3. Solution:

           a) Updating via yup...
           We suggest that you use the Yellow Dog Update Program (yup)
           to keep your system up-to-date. The following command(s) will
           automatically retrieve and install the fixed version of
           this update onto your system:

                   yup update openssl
                yup update openssl-devel
                yup update openssl-perl
                yup update openssl-python

           b) Updating manually...
           The update can also be retrieved manually from our ftp site
           below along with the rpm command that should be used to install
           the update. (Please use a mirror site)

                   ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.0/ppc/RPMS/
                rpm -Fvh openssl-0.9.6-9.src.rpm
                rpm -Fvh openssl-devel-0.9.6-9.src.rpm
                rpm -Fvh openssl-perl-0.9.6-9.src.rpm
                rpm -Fvh openssl-python-0.9.6-9.src.rpm

4. Verification

MD5 checksum Package
-------------------------------- ----------------------------
f193e7d11639893b5380d7125fc7aefc SRPMS/openssl-0.9.6-9.src.rpm
b099fe4944ab4ce3d55da40ef1806c3e ppc/RPMS/openssl-0.9.6-9.ppc.rpm
3385bcf0fef71ac48a1c0358deed076d ppc/RPMS/openssl-devel-0.9.6-9.ppc.rpm
98b7f2af7d7a17718c959cb1600755bd ppc/RPMS/openssl-perl-0.9.6-9.ppc.rpm
9a0619a7fd58019d3cd5b54f2754e6e6 ppc/RPMS/openssl-python-0.9.6-9.ppc.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename

5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see
http://devel.yellowdoglinux.com/rp_yup.shtml

This archive was generated by hypermail 2a24 : Thu Aug 09 2001 - 20:45:30 MDT