LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Netwosix alert NW-2004-0005 (openssl)



From:
    	      Vincenzo Ciaglia <ciaglia@netwosix.org>


To:
    	      bugtraq@securityfocus.com


Subject:
    	      LNSA-#2004-0005: openssl


Date:
    	      Wed, 17 Mar 2004 21:15:45 +0100


Cc:
    	      lwn@lwn.net,
 announce@netwosix.org



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

************************************************************************************
Netwosix Linux Security Advisory #2004-0005 <http://www.netwosix.org>
- -----------------------------------------------------------------------------------

Package name:      openssl
Summary:              openssl upgraded package
Date:                    2004-03-17
Affected versions:  Netwosix 1.0
************************************************************************************

- -> Package description:
- ------------------------
The OpenSSL Project is a collaborative effort to develop a robust, 
commercial-grade, full-featured, and Open Source toolkit implementing the 
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) 
protocols as well as a full-strength general purpose cryptography library 
managed by a worldwide community of volunteers that use the Internet to 
communicate, plan, and develop the OpenSSL toolkit and its related 
documentation.

- -> Problem description:
- ------------------------

1. Null-pointer assignment during SSL handshake
2. Out-of-bounds read affects Kerberos ciphersuites

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this
issue.  Any application that makes use of OpenSSL's SSL/TLS library
may be affected.  Please contact your application vendor for details.

- -> Action:
- ------------------------
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.

- -> Location:
- ---------------------

  You can download the latest version of this package in NEPOTE format from:
  <http://download.netwosix.org/0005/nepote>

- -> Nepote Update (Nepote has been updated with new ports on 25 February 2004.
Update your portage tree from http://nepote.netwosix.org, first):
- ---------------------

See this instructions to update the port of this package:

        # cd /usr/port/devel/openssl
        # rm nepote
        # wget http://download.netwosix.org/0005/nepote
        # sh nepote (to install the new and updated package)

Pending vulnerabilities, solutions, workarounds

        # cd /usr/port/shells/openssh
        # rm nepote-dep
        # wget http://download.netwosix.org/0005/nepote-dep
        # sh nepote-dep (to install the new and updated package)


- -> References
- ---------------------

        Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
                http://www.openssl.org/news/secadv_20040317.txt

- -> About Linux Netwosix:
- ---------------------------------
Linux Netwosix is a powerful and optimized Linux distribution for servers
and Network Security related jobs.  It can also be used for special operations
such as penetration testing with its big collection of security oriented
software and sources. It's a light distribution created for the requirements
of every SysAdmin and it's very portable and highly configurable. Our
philosophy is to give greater liberty for  configuration to the SysAdmin.
Only in this way can he/she configure a powerful and stable server machine.
Linux Netwosix also has a powerful ports system (Nepote) similar to the xBSD
systems but more flexible and usable.


- -> Questions?
- ---------------------
  Check out our mailing lists:
  <http://www.netwosix.org/mailing.html>


  The advisory itself is available at
  <http://www.netwosix.org/adv05.html>
- --------------------------------------------------

MD5sums of the packages:
- - --------------------------------------------------------------------------
9c399210b16b3590be2bb81357442f9a  0005/nepote
1a89349bd258f15aa8810623e9f471d2   0005/nepote-dep
- - --------------------------------------------------------------------------

Vincenzo Ciaglia - Linux Netwosix Security Advisories
<ciaglia@netwosix.org> - <http://www.netwosix.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAWLNq6jz9pGuz4koRAi6TAJ0dkKMsr8rhln59cgbKTjgNDG2eCwCaAmAZ
nI95RvNjazxaQc57/1JjgCA=
=VtkN
-----END PGP SIGNATURE-----
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds