From da@securityfocus.com Tue Sep 3 22:00:45 2002 From: Dave Ahmad To: bugtraq@securityfocus.com Date: Tue, 3 Sep 2002 14:32:46 -0600 (MDT) Subject: [security bulletin] SSRT2310a HP Tru64 UNIX & HP OpenVMS Potential OpenSSL Security Vulnerability (fwd) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SECURITY BULLETIN SSRT2310a - HP Tru64 UNIX & HP OpenVMS Potential ========== OpenSSL Security Vulnerability The HP Security Bulletin has been posted to the support website - http://thenew.hp.com/country/us/eng/support.html Use the SEARCH IN feature box, enter SSRT2310* in the search window. REVISION: 0 ========= NOTICE: There are no restrictions for distribution ======= of this Bulletin provided that it remains complete and intact. RELEASE DATE: 29 August, 2002 ============= SEVERITY: HIGH ======== SOURCE: Compaq Computer Corporation, a wholly-owned ======= subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team REFERENCE: CERT CA-2002-23, CAN-2002-0655, CAN-2002-0656, ========== CAN-2002-0657, CAN-2002-0659 PROBLEM SUMMARY: =============== SSRT2310a OpenSSL Potential Vulnerabilities Broad-based remote vulnerabilities have been recently discovered with OpenSSL by many security research groups and reported in an advisory by CERT/CC CA-2002-23 . This bulletin is in follow-up to the previous announcements that describe this potential threat that impact HP Tru64 UNIX and HP OpenVMS. VERSIONS IMPACTED ================= HP OpenVMS =========== OpenSSL for HP OpenVMS Alpha V1.0 HP V5.3 TCP/IP Services for OpenVMS HP OpenVMS Secure Web Server 1.1-1 HP OpenVMS Secure Web Server V1.2 HP Tru64 UNIX ============= Internet Express V5.9 for Tru64 UNIX Secure Web Server Internet Express EAK V2.0 HP Tru64 UNIX Secure Web Server V5.8.1 and earlier NOTE: This reported potential vulnerability does not have an impact to the base operating system in the form of elevated permissions or privileges. HP-UX ===== At the time of writing this document, HP-UX is currently investigating these potential vulnerabilities as case id SSRT2310. As further information becomes available HP will provide notice of the availability of any necessary solutions through standard security bulletin announcements and be available from your normal HP Services support channel and available on http://itrc.hp.com in the Support Digests, under Archives. RESOLUTION ========== HP OpenVMS Alpha ================ OpenSSL for OpenVMS Alpha V1.0 ============================== OpenVMS engineering has released a new version of Compaq SSL for OpenVMS Alpha, Version 1.0-A that corrects the security vulnerabilities highlighted in CERT advisory CA-2002-23 for all ports of OpenSSL. To download OpenSSL for OpenVMS Alpha V1.0-A go to the following website: http://www.openvms.compaq.com/openvms/products/ssl/ssl.html NOTE: Customers who have already installed OpenSSL for OpenVMS Alpha V1.0 should remove it with the following command: $ PRODUCT REMOVE SSL and install V1.0-a V5.3 TCP/IP services for OpenVMS V5.3 ======================================= TCP/IP services for OpenVMS is susceptible to the Buffer overflow conditions in the BIND 9 Server & utilities on Alpha only. Customers are asked not to use any keying mechanisms (including tsig and dnssec) which is done by editing the BIND configuration file TCPIP$BIND.CONF, until a patch is provided. Secure Web Server V1.1-1 ======================== Secure Web Server is only vulnerable to the SSLv2 buffer-overflow vulnerability VU#102795. HP has released security update kits for SWS 1.1-1 and SWS 1.2. These kits are cumulative and supersede all previous update kits. Please review the readme files prior to updating SWS. SWS V1.2 Install SWS12_UPDATE V4.0 http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches.h tml SWS V1.1-1 Install SWS111_UPDATE V3.0 http://www.openvms.compaq.com/openvms/products/ips/apache/csws_patches.h tml HP Tru64 UNIX ============= Internet Express Secure Web Server V5.8.1 Update to Secure Web Server 5.9.2 (Apache) http://tru64unix.compaq.com/internet/register_sws.html Note: The kit requires HP Tru64 UNIX V5.0A or later. If SSL has been enabled for anything from the Internet Express distribution other than Secure Web Server, please contact your normal HP Services Support channel. Before installing the software, review the Secure Web Server RELEASE NOTES for important information about this release. Internet Express EAK V2.0 Update to Apache 2.0 Early Adopters Kit (2.0.39) Note: The kit requires HP Tru64 UNIX V5.1 or later. http://tru64unix.compaq.com/internet/register_apache.html Before installing the software, review the Secure Web Server RELEASE NOTES for important information about this release. SUPPORT: For further information, contact HP Services. ======= SUBSCRIBE: To subscribe to automatically receive future ========= Security Advisories from the Software Security Response Team (SSRT) via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any HP or Compaq supported product, send email to: security-alert@hp.com HP and Compaq appreciate your cooperation and patience. As always, HP and Compaq urge you to periodically review your system management and security procedures. HP and Compaq will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "HP and Compaq are broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Compaq products the important security information contained in this Bulletin. HP and Compaq recommend that all users determine the applicability of this information to their individual situations and take appropriate action. Neither HP nor Compaq warrant that this information is necessarily accurate or complete for all user situations and, consequently, neither HP nor Compaq will be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin." Copyright 2002 Compaq Information Technologies Group, L.P. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Compaq and the names of Compaq products referenced herein are trademarks of Compaq Information Technologies Group, L.P. in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPXUWCznTu2ckvbFuEQKkdACfQurlNtdq3cMr5m/MsPj3k+rp1p8AoJcU dXS19zEUt7Xpm0rppzCH2fok =R2tt -----END PGP SIGNATURE-----