|
czwartek, 19 lutego 2004 -
Napisał: Artur Kulda (1283 odsłon)
|
| Topic: |
OpenSSL 0.9.6 ASN.1 parser vulnerability |
|
|
| Version: |
NetBSD-current: sources prior to 2003/07/24
NetBSD 1.6.1: affected
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
pkgsrc: packages prior to (including) 0.9.6k |
| Severity: |
possible remote denial-of-service |
| Fixed: |
NetBSD-current: July 24, 2003
NetBSD-1.6 branch: November 8, 2003 (1.6.2 will include the fix)
NetBSD-1.5 branch: November 7, 2003
pkgsrc: openssl-0.9.6l corrects this issue |
Abstract
OpenSSL 0.9.6k ASN.1 parser had a possible denial-of-service
vulnerability.
This vulnerability is different from 2003-017.
OpenSSL 0.9.7 is not affected.
Technical Details
http://www.kb.cert.org/vuls/id/412478
http://www.openssl.org/news/secadv_20031104.txt
Solutions and Workarounds
Release of NetBSD 1.6.2 is imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.6 Many security-related improvements
have been made.
NetBSD 1.6.2 may be considered a binary patch for this advisory.
* Rebuilding from source:
libcrypto and libssl have to be rebuilt.
The following instructions describe how to upgrade your libcrypto and
libssl binaries by updating your source tree and rebuilding and
installing a new version of libcrypto and libssl.
* NetBSD-current:
NetBSD-current has included the OpenSSL 0.9.7 series since July 24,
2003, therefore upgrading to sources after July 24, 2003 is required.
* NetBSD 1.6, 1.6.1:
The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.
Systems running NetBSD 1.6 sources dated from before
2003-11-07 should be upgraded from NetBSD 1.6 sources dated
2003-11-08 or later.
NetBSD 1.6.2 will include the fix.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/openssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl
# cd lib/libcrypto
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
# cd ../../lib/libssl
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.
Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
from before 2003-11-06 should be upgraded from NetBSD 1.5.*
sources dated 2003-11-07 or later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/openssl
To update from CVS, re-build, and re-install libcrypto and libssl:
# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl
# cd lib/libcrypto
# make cleandir dependall
# make install
# cd ../../lib/libssl
# make cleandir dependall
# make install
Thanks To
Dr Stephen Henson
Ossi Herrala for corrections
Revision History
2004-02-18 Initial release
2004-02-20 Note USETOOLS=no in 1.6 instructions.
2004-04-25 Note USETOOLS=no in all 1.6 instructions.
More Information
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-003.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/
and
http://www.NetBSD.org/Security/ .
Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
|
|
Ostatnio aktualizowany ( sobota, 29 października 2005 )
|
|
|
Security Advisory 
Postfix - "Krok po kroku" v1.1
sdi.sh
uEagle 1.0p1
