Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0700 -- Debian Security Advisory DSA-393-1
New OpenSSL packages correct denial of service issues
03 October 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSL
Publisher: Debian
Operating System: Debian GNU/Linux 3.0
Linux
Impact: Denial of Service
Access Required: Remote
CVE Names: CAN-2003-0543 CAN-2003-0544
Ref: AL-2003.18
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 393-1 security@debian.org
http://www.debian.org/security/ Michael Stone
October 1, 2003 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : openssl
Vulnerability : denial of service
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0543 CAN-2003-0544
Dr. Stephen Henson (steve@openssl.org), using a test suite provided by
NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL
ASN1 code. Combined with an error that causes the OpenSSL code to parse
client certificates even when it should not, these errors can cause a
denial of service (DoS) condition on a system using the OpenSSL code,
depending on how that code is used. For example, even though apache-ssl
and ssh link to OpenSSL libraries, they should not be affected by this
vulnerability. However, other SSL-enabled applications may be
vulnerable and an OpenSSL upgrade is recommended.
For the current stable distribution (woody) these problems have been
fixed in version 0.9.6c-2.woody.4
For the unstable distribution (sid) these problems have been fixed in
version 0.9.7c-1
We recommend that you update your openssl package. Note that you will
need to restart services which use the libssl library for this update
to take effect.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc
Size/MD5 checksum: 675 76da6f792eccfa0e219a0bb42296546f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz
Size/MD5 checksum: 44514 c07ae1f584c7a8bc4d0a821b8e6801ab
Architecture independent packages:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb
Size/MD5 checksum: 970 734c96f61a7d7032584ce001811d99ce
Alpha architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb
Size/MD5 checksum: 1551438 add644f20298bb07dd2368f6139e03bd
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb
Size/MD5 checksum: 571194 17117f28911fee940def4cc5a5168ebf
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb
Size/MD5 checksum: 736296 f571a65a29ea963e9f82b4a70cc61bbc
ARM architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb
Size/MD5 checksum: 474030 c34ae889a0b0b05d16ab071069886ee8
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb
Size/MD5 checksum: 1357972 7b5efab549fcace562b1df40f58eb434
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb
Size/MD5 checksum: 729736 bea9047ba98358b5d843ec5502c08d14
HP Precision architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb
Size/MD5 checksum: 1435088 64ec697612a1a8bb7ec02a8dfe0f082a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb
Size/MD5 checksum: 564870 7c9f44efb6fbf092a4c6285438f4218f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb
Size/MD5 checksum: 741856 c593ae8279de436da67de14a147b991c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb
Size/MD5 checksum: 461714 9c291cab723133eb1c7c2309540dd9e2
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb
Size/MD5 checksum: 721748 654531d126d43611b236964e691b67e2
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb
Size/MD5 checksum: 1289866 0b05581c2d1c03f72644737aa7c37fe9
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb
Size/MD5 checksum: 763482 0292998feaac6ea041d2d044305b7715
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_ia64.deb
Size/MD5 checksum: 711022 dbfc0819492111ff1b8040c4dc615d03
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_ia64.deb
Size/MD5 checksum: 1615238 74a9e23d5f17d9a4f40120d1103bfeb2
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_m68k.deb
Size/MD5 checksum: 720358 293043604c8e259a058f5e1d5925a96e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_m68k.deb
Size/MD5 checksum: 450572 5ebfb9bc4f0da2986373032213e22f3d
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_m68k.deb
Size/MD5 checksum: 1266566 5d8c56beaaa413dd72d3cf90b5b30349
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mips.deb
Size/MD5 checksum: 717764 d7019cf6cf0d6618f8789c8290697367
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mips.deb
Size/MD5 checksum: 1416184 09aa020367ef0d06e3e22e550ea12102
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mips.deb
Size/MD5 checksum: 483650 3008bbee5c4f7f5faf344317c59e0d82
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mipsel.deb
Size/MD5 checksum: 717060 3180c04a1cb7dd325b06496ca2bff71b
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mipsel.deb
Size/MD5 checksum: 1410226 35cc9bc327c59471f5a909878efdbb76
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mipsel.deb
Size/MD5 checksum: 476638 bb83a9bfc07679fbe21aab5abd56256f
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_powerpc.deb
Size/MD5 checksum: 1386776 f379528eae7a157bd830ea43a371efe4
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_powerpc.deb
Size/MD5 checksum: 726638 45d8adac74a907263e7507f64fd3c3e3
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_powerpc.deb
Size/MD5 checksum: 502422 a386a0fdd637da29848219a1ca16eae1
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_s390.deb
Size/MD5 checksum: 510438 4044c7c34e45d3b9b7f3ef69eacae491
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_s390.deb
Size/MD5 checksum: 731592 79fe91bb12f87b2dc05a4dff2aba1a10
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_s390.deb
Size/MD5 checksum: 1326384 0352ce5cd87305074b2fdc91e78badca
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_sparc.deb
Size/MD5 checksum: 484720 99bace5e1758b19404ef0ab618f37048
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_sparc.deb
Size/MD5 checksum: 1344194 2290093fa5e49278491fdbe03f14ab1a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_sparc.deb
Size/MD5 checksum: 737150 28a4ebcf466e4c4d8aaa0afe974e9893
These files will probably be moved into the stable distribution on
its next revision.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iQCVAwUBP3qviw0hVr09l8FJAQHfbQP+KCrmd5ZZewgLvbmMrQ70agmPhzIzNQ+E
NUHr+41wi0atXpBfpflopYrptgycN4gtPHfRjJRE1KAwjr2DkuXX0jzcv/oqOs4m
eJlTnIDG+sI7HfeX8H+rpKWz5SnS+Zjc8xZFrqkiGw8Fsbnw/hX3aFrEki1xISPc
5VKxp7qbGPc=
=iKdy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP3z1JCh9+71yA2DNAQHyUwP/TdfCrLU3TYQPCtY9EwwSBV79ZbFnVysm
wSQD3F90+vZ8Og7YO6jhIY4jpZm8VKauNGL034IP975wivzf7784ffA57Vh3WY3N
T01p8can0T0gZXPfD0Wva3f1sH/zaMKjroC2GloqnO74x8pVYiKJFHZHH7FZmzQv
fyH2Z9vWyKM=
=8TLq
-----END PGP SIGNATURE-----