[OpenPKG-SA-2002.008] OpenPKG Security Advisory (openssl)

[OpenPKG <openpkg () openpkg org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project 
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org                 
OpenPKG-SA-2002.008                                          30-Jul-2002
________________________________________________________________________

Package:             openssl
Vulnerability:       denial of service / remote root exploit
OpenPKG Specific:    no

Affected  Releases:  OpenPKG 1.0               OpenPKG CURRENT
Affected  Packages:  <= openssl-0.9.6b-1.0.0   <= openssl-0.9.6d
Corrected Packages:  >= openssl-0.9.6b-1.0.1   >= openssl-0.9.6e
Dependent Packages:  apache                    apache
                     curl                      bind   
                     fetchmail                 cadaver
                     imapd                     cpu    
                     inn                       curl
                     links                     dsniff 
                     lynx                      exim   
                     mutt                      fetchmail
                     openldap                  imapd
                     openssh                   inn
                     perl-ssl                  links
                     postfix                   lynx
                     postgresql                mutt
                     qpopper                   neon
                     samba                     openldap
                     sasl                      openssh
                     scanssh                   openvpn
                     sendmail                  perl-ssl
                     siege                     postfix
                     sitecopy                  postgresql
                     snmp                      qpopper
                     stunnel                   rdesktop
                     tcpdump                   samba
                     w3m                       sasl
                                               scanssh
                                               sendmail
                                               siege
                                               sitecopy
                                               snmp
                                               stunnel
                                               sysmon
                                               tcpdump
                                               w3m

Description:
  According to an official security advisory from the OpenSSL team,
  there are four remotely exploitable buffer overflows that affect
  various OpenSSL client and server implementations [5]. There are
  also parsing problems in the ASN.1 library used by OpenSSL. The
  Common Vulnerabilities and Exposures (CVE) project assigned the
  ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
  CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
  could be used by a remote attacker to execute arbitrary code on the
  target system. All could be used to create a denial of service.

  Please check whether you are affected by running "<prefix>/bin/rpm -q
  openssl". If you have the "openssl" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution). Additionally, you have to rebuild and reinstall all
  dependent OpenPKG packages, too. [2]

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [4], fetch it from the OpenPKG FTP service [3] or a mirror location,
  verify its integrity [1], build a corresponding binary RPM from it
  and update your OpenPKG installation by applying the binary RPM [2].
  For the latest OpenPKG 1.0 release, perform the following operations
  to permanently fix the security problem (for other releases adjust
  accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.0/UPD
  ftp> get openssl-0.9.6b-1.0.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm
  $ <prefix>/bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm

  Now proceed and rebuild and reinstall all dependent OpenPKG packages,
  too (see list above).
________________________________________________________________________

References:
  [1]  http://www.openpkg.org/security.html#signature
  [2]  http://www.openpkg.org/tutorial.html#regular-source
  [3]  ftp://ftp.openpkg.org/release/1.0/UPD/
  [4]  ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm
  [5]  http://www.openssl.org/news/secadv_20020730.txt
  [6]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
  [7]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
  [8]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657
  [9]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH
4xsAoKTteo/qotFgoki3JYpuGufyp4vL
=k9ol
-----END PGP SIGNATURE-----