From marcdeslauriers@videotron.ca Sun Dec 18 11:50:53 2005 From: Marc Deslauriers To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Date: Sun, 18 Dec 2005 00:16:46 -0500 Subject: [Full-disclosure] [FLSA-2005:166939] Updated openssl packages fix security issues --------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated openssl packages fix security issues Advisory ID: FLSA:166939 Issue date: 2005-12-17 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2004-0079 CVE-2005-0109 CVE-2005-2969 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated OpenSSL packages that fix security issues are now available. OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: OpenSSL contained a software work-around for a bug in SSL handling in Microsoft Internet Explorer version 3.0.2. This work-around is enabled in most servers that use OpenSSL to provide support for SSL and TLS. Yutaka Oiwa discovered that this work-around could allow an attacker, acting as a "man in the middle" to force an SSL connection to use SSL 2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-2969 to this issue. A bug was fixed in the way OpenSSL creates DSA signatures. A cache timing attack was fixed in a previous advisory which caused OpenSSL to do private key calculations with a fixed time window. The DSA fix for this was not complete and the calculations are not always performed within a fixed-window. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0109 to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that uses the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the server this could lead to a denial of service. (CVE-2004-0079) Users are advised to update to these erratum packages which contain patches to correct these issues. Note: After installing this update, users are advised to either restart all services that use OpenSSL or restart their system. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 772eb428fce0f9244879936da6de8540c4a0da19 redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm 2abb561452161340c02522e5b304685bded02acc redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm 1c00535c2fd6314aba666132c49b62850387fa2e redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm eb04713acd216bf3e2b46ed11f5627af2937d726 redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm 5339f0df2ca59678b043c356000c80d6a06350e9 redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm 602fb4b040aa26656f60771e56495f894da7a7d1 redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm 94c051599af2faaaf771df548c801d8f046b2d94 redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm 876c535d8b28b2ffa22be646aa7021c57a62046c redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm 046b9d93eee9dcd9b69f89f185ad3065c78fd4ec redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm a404db788cdcdf1b267dde272dd6db3cf1891ba2 redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm 11cf0a7546f054b5fcff676a88deb27e45cdb0cd redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm 62eb39923eb2a98a1749a58a28fce5c425587387 redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm e97a1fb8963711a2c97e298173d30fe64abd7a3f redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm dca80e912b43137b71e966cdc956b50324fd59fc redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm 1f34a94f36d3b7fa56b633fc134eac3d99a08f45 redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm daa7c0eb8f988a152db550398ec6c3e9ad08418e redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm beff357b1eabf4dbd89bd2776d83ad8157e4668b redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm d010302930f88638255581d7f4d8d245fc5f1f4f redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm 6e2a5333e1a41cf7c87b0bd704f37ebeefb19011 fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm aca4f861c4dde379cec5351f56c7aec4b2e47310 fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm 620c574712782b4e349ed1392d1d674507a146cc fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm 5518b5e24176b056dae1e653a4abb9f2dd227d99 fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm 5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm 1bee0f14e627fde0951377e1bf2f90b190152967 fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm 0d7079c953bb754c45c5a0231c5b292b814ce3f6 fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm 8350ee0de5d81a3a0a842745997f89f8aae9e37f fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm b116a8978d0ea6720193ac67c927d1c07eb122c4 fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm 0b4dd57385c42886afbd62bc17c3b10fb3b28d38 fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm d8773965612fda44388b73296ba8fb9caea9db1f fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm 45c1a884034056c1f3f31f6a61af617a44a31e47 fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm 24f03de813df1d534d3d847fde68ffd603a2e234 fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm a990c20059b07984cc06a1029219b713650b0cfd fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm b39cd980bda3350d69ee5a4da934fb54c956c965 fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm 63d5d41cd2be5a010c2ad2c6276f0ddba2948e38 fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org --------------------------------------------------------------------- [ Part 1.2, "OpenPGP digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/