LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Debian: Multipule OpenSSL Vulnerabilities (update) Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Debian This advisory is an update to DSA-136-1, issued 30 Jul 2002. It includes ASN1 updates in the woody packages, plus the potato packages which were not initially available.

- ------------------------------------------------------------------------
Debian Security Advisory DSA-136-2                   security@debian.org 
http://www.debian.org/security/                            Michael Stone
September 15, 2002                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openssl094, openssl095, openssl
Problem type   : multiple remote exploits
Debian-specific: no
CVE            : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659

Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It
includes ASN1 updates in the woody packages, plus the potato packages
which were not initially available.

The OpenSSL development team has announced that a security audit by A.L.
Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed
remotely exploitable buffer overflow conditions in the OpenSSL code.
Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
independently discovered by Adi Stav and James Yonan.

CAN-2002-0655 references overflows in buffers used to hold ASCII
representations of integers on 64 bit platforms. CAN-2002-0656
references buffer overflows in the SSL2 server implementation (by
sending an invalid key to the server) and the SSL3 client implementation
(by sending a large session id to the client). The SSL2 issue was also
noticed by Neohapsis, who have privately demonstrated exploit code for
this issue. CAN-2002-0659 references the ASN1 parser DoS issue.

These vulnerabilities have been addressed for Debian 3.0 (woody) in
openssl094_0.9.4-6.woody.1, openssl095_0.9.5a-6.woody.1 and
openssl_0.9.6c-2.woody.1.

These vulnerabilities are also present in Debian 2.2 (potato). Fixed
packages are available in openssl094_0.9.4-6.potato.0 and
openssl_0.9.6c-0.potato.4. 

Only i386 packages for openssl094 and openssl095 are available at this
time; other architectures will be made available as soon as possible.
A worm is actively exploiting this issue on internet-attached hosts;
we recommend you upgrade your OpenSSL as soon as possible. Note that you
must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.)
If you are uncertain which programs are using SSL you may choose to
reboot to ensure that all running daemons are using the new libraries.

- ------------------------------------------------------------------------

Obtaining updates:

  By hand:
    wget URL
        will fetch the file for you.
    dpkg -i FILENAME.deb
        will install the fetched file.

  With apt:
    deb  http://security.debian.org/ stable/updates main
        added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at  http://www.debian.org/security/

- ------------------------------------------------------------------------

Debian 2.2 (potato)
- ----------------------

  Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
      Size/MD5 checksum:  1570392 72544daea16d6c99d656b95f77b01b2d
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.dsc
      Size/MD5 checksum:      741 9c7e0cf669a32763f4bf9669156a2235
     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.0.dsc
      Size/MD5 checksum:      702 463aa33d08d188542208e82734269eab
     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.0.diff.gz
      Size/MD5 checksum:    44354 d06b01d6f91e901d3e2686df4b9b6bc6
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
      Size/MD5 checksum:    42566 ea23bd132febccb20178a33080a75b2e

  alpha architecture (DEC Alpha)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum:   746626 c7e28cd9327bf7c57de8460873acc7ca
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum:   591014 6e50b6aab7330ab8bf05835476e355cf
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_alpha.deb
      Size/MD5 checksum:  1550550 519f58912d6fe231127dc3269235494b

  arm architecture (ARM)

     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum:   469664 291969d97b32582ad427f2464a5f9f50
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum:  1349424 61b9f52a86711594c7f9e7135e2ad447
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_arm.deb
      Size/MD5 checksum:   729988 e7751f662ef2a13bc304025995fd1bfa

  i386 architecture (Intel ia32)

     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum:  1288134 430658383c6c37cfafbddd16a492f407
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum:   463668 37e1e010c4eab318a48b8f1de3c73910
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_i386.deb
      Size/MD5 checksum:   724530 82241d5d38dc62b0e4d53f41303e8829
     http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.potato.0_i386.deb
      Size/MD5 checksum:  1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa

  m68k architecture (Motorola Mc680x0)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum:   721394 176c598a45a1ba9bbc459bd8d2b014d2
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum:  1263214 cf1a25df58c5b14101fc56896ed9d51c
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_m68k.deb
      Size/MD5 checksum:   451000 627bd347ab6ca780e6dea2b34f2e3e3d

  powerpc architecture (PowerPC)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum:   726946 26d2b2b6314750c7f78efd7617ad4f91
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum:  1385054 1d02c03f2edc5de1fbcd7e1563227723
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_powerpc.deb
      Size/MD5 checksum:   503900 cebc7e59bb5e812491b4542e803d4642

  sparc architecture (Sun SPARC/UltraSPARC)

     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum:  1342800 18dcc49e3ab9b43c54ff4bf07a73057b
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum:   483834 3811f4b7b3fd20c9cd8f3896106aeede
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_sparc.deb
      Size/MD5 checksum:   738500 b9eeca8cca46d187f0bb8791af95ad7b

Debian 3.0 (woody)
- -------------------

  woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.1.dsc
      Size/MD5 checksum:      731 6ee81367f6726dd6e793e0a28f2dab2f
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc
     http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
      Size/MD5 checksum:  1892089 99d22f1d4d23ff8b927f94a9df3997b4
     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
      Size/MD5 checksum:  1570392 72544daea16d6c99d656b95f77b01b2d
     http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.dsc
      Size/MD5 checksum:      738 8db01015b7c3c6b1fab8a509a8d32362
     http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.diff.gz
      Size/MD5 checksum:    38440 812dd2074b1eb8f2764621d12db77140
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.dsc
      Size/MD5 checksum:      739 753ca9446c2f3bc658df80a8668d69a5
     http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.1.diff.gz
      Size/MD5 checksum:    44476 fad8a823c2455b4089bf9fdececf1c19
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
      Size/MD5 checksum:    42477 92e89d405fb0291efa45d3f260fbd1b4

  alpha architecture (DEC Alpha)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum:   735734 e8ddba4a00d37834de2301a36daf8893
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum:   570688 104d1b40056d53f6b3164cff39a637c5
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_alpha.deb
      Size/MD5 checksum:  1550806 e137ab248541f6fdfa311744925197b7

  hppa architecture (HP PA RISC)

     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum:   564336 c33d5269f29184ddd5f5f37435db3b20
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum:  1434386 22c4cb54eb0345d5232e00315b1d707b
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_hppa.deb
      Size/MD5 checksum:   741436 51ae4ce9e126f4f1e16388a9e03bd929

  i386 architecture (Intel ia32)

     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum:  1290394 2ef22ed5e2f75a5afd57bc7f5579b668
     http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
      Size/MD5 checksum:   400108 495f381e41694087d0e02536044b4d1e
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum:   461228 4c36f0b42fb7b0fc3a576477f4812378
     http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.1_i386.deb
      Size/MD5 checksum:   357956 6cc8232971ff8c4e027cbd3b5552af8d
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_i386.deb
      Size/MD5 checksum:   722756 4f962685c00e0f360008909c34253f32

  ia64 architecture (Intel ia64)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum:   763312 f68f750b3211243654eec890b01c8e7a
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum:  1615968 e0a890a89e6d44d8a3be8594ea507202
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_ia64.deb
      Size/MD5 checksum:   710314 47bf40e6683690237b9b307232f9b0dd

  m68k architecture (Motorola Mc680x0)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum:   719876 7b86c3e93997f78a058c8d51148e5542
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum:  1266008 db905314e8947748d60454b7b7fdc565
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_m68k.deb
      Size/MD5 checksum:   450170 4dec6cc106d48a1011ba7bec1b2ec61a

  mips architecture (MIPS (Big Endian))

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum:   717336 9aa8a5ff7c3cb422f40f8797e0b97b7f
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum:   483018 61b96d689c3794af43a881c1d064fd8f
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mips.deb
      Size/MD5 checksum:  1415606 321c34c11f7b52d630548a81a84c1f1f

  mipsel architecture (MIPS (Little Endian))

     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum:   476042 abcbbf8c13cde643076407d539cd483e
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum:   716572 8925b769c4ef248a6aa5dc71173115fd
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mipsel.deb
      Size/MD5 checksum:  1409496 230cf7fd06f5fe8afaef1bd291777cc6

  powerpc architecture (PowerPC)

     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum:   726188 8835e23596eee551da6f1b0c9036e339
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum:  1386308 16b4a447219eb1c284fb8e4f2eef757b
     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_powerpc.deb
      Size/MD5 checksum:   501886 e343898ad82ab2e88f35903274525152

  sparc architecture (Sun SPARC/UltraSPARC)

     http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum:   484190 242d5e36cbf18033d04a26cfd3cdc861
     http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum:  1343610 a578dbc5193884a284e9bf930607036f
     http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_sparc.deb
      Size/MD5 checksum:   736668 1bcdd2bbce3bff5115c4f3b9774aea30

- ------------------------------------------------------------------------
For apt-get: deb  http://security.debian.org/ stable/updates main
For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and  http://packages.debian.org/


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
USB is now UEC (use with extreme caution)
iPhone Encryption and the Return of the Crypto Wars
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.