Re: New OpenSSL releases fix denial of service attacks [17 March 2004]

["Dave Markham" <dave.markham () fjserv net>]

This may be a stupid question but my OpenSSH dist is obviously compiled with
OpenSSL 0.9.7c and im wondering if i will need to go and recompile it all
again and redistribute.

We dont use SSL directly other than through this ssh.

Cheers



----- Original Message ----- 
From: "Mark J Cox" <mark () awe com>
To: <full-disclosure () lists netsys com>; <bugtraq () securityfocus com>
Sent: Wednesday, March 17, 2004 1:12 PM
Subject: New OpenSSL releases fix denial of service attacks [17 March 2004]


> -----BEGIN PGP SIGNED MESSAGE-----
>
> OpenSSL Security Advisory [17 March 2004]
>
> Updated versions of OpenSSL are now available which correct two
> security issues:
>
>
> 1. Null-pointer assignment during SSL handshake
> ===============================================
>
> Testing performed by the OpenSSL group using the Codenomicon TLS Test
> Tool uncovered a null-pointer assignment in the
> do_change_cipher_spec() function.  A remote attacker could perform a
> carefully crafted SSL/TLS handshake against a server that used the
> OpenSSL library in such a way as to cause OpenSSL to crash.  Depending
> on the application this could lead to a denial of service.
>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0079 to this issue.
>
> All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from
> 0.9.7a to 0.9.7c inclusive are affected by this issue.  Any
> application that makes use of OpenSSL's SSL/TLS library may be
> affected.  Please contact your application vendor for details.
>
>
> 2. Out-of-bounds read affects Kerberos ciphersuites
> ===================================================
>
> Stephen Henson discovered a flaw in SSL/TLS handshaking code when
> using Kerberos ciphersuites.  A remote attacker could perform a
> carefully crafted SSL/TLS handshake against a server configured to use
> Kerberos ciphersuites in such a way as to cause OpenSSL to crash.
> Most applications have no ability to use Kerberos ciphersuites and
> will therefore be unaffected.
>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2004-0112 to this issue.
>
> Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this
> issue.  Any application that makes use of OpenSSL's SSL/TLS library
> may be affected.  Please contact your application vendor for details.
>
> Recommendations
> - ---------------
>
> Upgrade to OpenSSL 0.9.7d or 0.9.6m.  Recompile any OpenSSL applications
> statically linked to OpenSSL libraries.
>
> OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and
> FTP from the following master locations (you can find the various FTP
> mirrors under http://www.openssl.org/source/mirror.html):
>
>     ftp://ftp.openssl.org/source/
>
> The distribution file names are:
>
>     o openssl-0.9.7d.tar.gz
>       MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5
>
>     o openssl-0.9.6m.tar.gz [normal]
>       MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9
>     o openssl-engine-0.9.6m.tar.gz [engine]
>       MD5 checksum: 4c39d2524bd466180f9077f8efddac8c
>
> The checksums were calculated using the following command:
>
>     openssl md5 openssl-0.9*.tar.gz
>
> Credits
> - -------
>
> Patches for these issues were created by Dr Stephen Henson
> (steve () openssl org) of the OpenSSL core team.  The OpenSSL team would
> like to thank Codenomicon for supplying the TLS Test Tool which was
> used to discover these vulnerabilities, and Joe Orton of Red Hat for
> performing the majority of the testing.
>
> References
> - ----------
>
> http://www.codenomicon.com/testtools/tls/
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
>
> URL for this Security Advisory:
> http://www.openssl.org/news/secadv_20040317.txt
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd
> G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ
> pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j
> Ez3jSlsbRRA=
> =wvAZ
> -----END PGP SIGNATURE-----