OpenSSL servers contain a buffer overflow during the SSL2 handshake process

2002-07-30T00:00:00
ID VU:102795
Type cert
Reporter CERT
Modified 2002-09-30T20:51:00

Description

Overview

OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) protocol. A remotely exploitable vulnerability exists in OpenSSL servers that could lead to the execution of arbitrary code on the server.

Description

Versions of OpenSSL servers prior to 0.9.6e and pre-release version 0.9.7-beta2 contain a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by a client using a malformed key during the handshake process with an SSL server connection using the SSLv2 communication process.


Impact

Exploitation of this vulnerability could lead to the execution of arbitrary code on the server. The code will be executed with the privileges of the application or service exploited via this vulnerability.


Solution

OpenSSL servers should apply the patches provided by your vendors, or upgrade to OpenSSL 0.9.6e. Note that applications statically linking to OpenSSL libraries may need to be recompiled with the corrected version of OpenSSL.


Servers can disable SSL2 or disable all applications using SSL or TLS until the patches are applied.


Vendor Information

102795

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

The vulnerabilities described in this note are fixed with Security Update 2002-08-02.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Covalent __ Affected

Notified: July 30, 2002 Updated: September 17, 2002

Status

Affected

Vendor Statement

Covalent Technologies has been informed by RSA Security that the BSAFElibraries used in Covalent's SSL implementations are potentiallyvulnerable to the SSL V2 negotiation issue detailed in VU#102795 and the related CA-2002-23 and CA-2002-27advisories. All Covalent products using SSL are affected. Covalent hasproduct updates and additional information available at:

> <http://www.covalent.net/products/rotate.php?page=110>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Please see <http://www.debian.org/security/2002/dsa-136>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

`- ------------------------------------------------------------------------
Debian Security Advisory DSA-136-1 security@debian.org
<http://www.debian.org/security/> Wichert Akkerman
July 30, 2002


`

Package : openssl Problem type : multiple remote exploits Debian-specific: no CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan.
CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue.
These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.0, openssl095_0.9.5a-6.woody.0 and openssl_0.9.6c-2.woody.0.
These vulnerabilities are also present in Debian 2.2 (potato), but no fix is available at this moment.
We recommend you upgrade your OpenSSL as soon as possible. Note that you should restart any daemons running SSL. (E.g., ssh or ssl-enabled apache.)
- ------------------------------------------------------------------------
Obtaining updates:
By hand: wget URL will fetch the file for you. dpkg -i FILENAME.deb will install the fetched file.
With apt: deb &lt;http://security.debian.org/&gt; stable/updates main added to /etc/apt/sources.list will provide security updates
Additional information can be found on the Debian security webpages at &lt;http://www.debian.org/security/&gt;
- ------------------------------------------------------------------------
`Debian 3.0 (stable)


Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel
, powerpc, s390 and sparc.
Source archives:
&lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.dsc&gt; Size/MD5 checksum: 782 de4c7b85648c7953dc31d3a89c38681c &lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0.diff.gz&gt; Size/MD5 checksum: 42270 e9fbf71f583f1727222eddb8f023472a &lt;http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.dsc&gt; Size/MD5 checksum: 781 534406f61e0229e92f506e9bc92fdaf1 &lt;http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.diff.gz&gt; Size/MD5 checksum: 45542 f4683a2fb7adc0fef97a31ac141e3acd &lt;http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.0.diff.gz&gt; Size/MD5 checksum: 38251 ee919ba698cbbfebcf922b19e05bbfeb &lt;http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz&gt; Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d &lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz&gt; Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc &lt;http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.0.dsc&gt; Size/MD5 checksum: 731 370bd2a3bb4bd957c571b7e0e51837ce &lt;http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz&gt; Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4 ` ` Architecture independent packages: ` `<http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.0_all.deb>
Size/MD5 checksum: 978 550d56ffa53e3e8ef26087b1fef5a1c5
alpha architecture (DEC Alpha)
&lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_alpha.deb&gt; Size/MD5 checksum: 735692 786b81d45374fa91a204a578d09dea6b &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_alpha.deb&gt; Size/MD5 checksum: 1550722 ac0d245d8d2e744d688c2778382513da &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_alpha.deb&gt; Size/MD5 checksum: 570630 c46d9dcac74f3766a48d8fe36d8dcb05 ` ` hppa architecture (HP PA RISC) ` `<http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_hppa.deb>
Size/MD5 checksum: 741398 9a081e5359cdf46e56a1854bcbff7af3
<http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_hppa.deb>
Size/MD5 checksum: 1434262 b9014a44cbefabce2c446b5b7be640f9
<http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_hppa.deb>
Size/MD5 checksum: 564284 be33bde9b00138d7ab6639daf9dc4cfe
i386 architecture (Intel ia32)
&lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_i386.deb&gt; Size/MD5 checksum: 731384 101d86cf6e2e274e5a811a38f5956b2d &lt;http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.0_i386.deb&gt; Size/MD5 checksum: 357908 49dd8e2dc866b9bd7639c5e7576e7519 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_i386.deb&gt; Size/MD5 checksum: 462026 859c8e6439943d597db12d47ec1ee496 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_i386.deb&gt; Size/MD5 checksum: 1293384 3e605b6e1abc0b0f40c6ec3ddf2b9419 &lt;http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.0_i386.deb&gt; Size/MD5 checksum: 400048 7495feff7cbcae0f816641b8d7537ad1 ` ` ia64 architecture (Intel ia64) ` `<http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_ia64.deb>
Size/MD5 checksum: 1614810 48c24d1b8c221e51a1e6f789b2621b40
<http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_ia64.deb>
Size/MD5 checksum: 763034 13e3e71cc06198e6a481d958854a1f78
<http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_ia64.deb>
Size/MD5 checksum: 710254 792b4575a78dafac7f99919d9c5a9f78
mips architecture (MIPS (Big Endian))
&lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mips.deb&gt; Size/MD5 checksum: 717276 4a2d38551b10dc1316bd3479d044261b &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mips.deb&gt; Size/MD5 checksum: 482968 f37975dfb58f53950e98e8adce007cd9 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mips.deb&gt; Size/MD5 checksum: 1415580 e87350a24e7d0bc4558cc09711246eab ` ` mipsel architecture (MIPS (Little Endian)) ` `<http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_mipsel.deb>
Size/MD5 checksum: 1409480 70e26b6de02b0749e9d30fb4e8d0bbc3
<http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_mipsel.deb>
Size/MD5 checksum: 475990 1f96c9c2528316857598262b40a9b9ca
<http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_mipsel.deb>
Size/MD5 checksum: 716482 a89cfa547f585e6858593506ed9b2257
powerpc architecture (PowerPC)
&lt;http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_powerpc.deb&gt; Size/MD5 checksum: 501824 bfca4d6a8e3b348abb8ed97453349752 &lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_powerpc.deb&gt; Size/MD5 checksum: 726122 9db6440fb0765c1360a7c09dec78f404 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_powerpc.deb&gt; Size/MD5 checksum: 1386244 06a403323563b590311b1297e4f63a5d ` ` s390 architecture (IBM S/390) ` `<http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb>
Size/MD5 checksum: 730124 6585907e414d4508a66460649de0c701
<http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb>
Size/MD5 checksum: 1310886 d6e233ab6d3f1ebe4fd9b479713ee662
<http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb>
Size/MD5 checksum: 495844 afb314f4d0113175d27435485ba2de07
sparc architecture (Sun SPARC/UltraSPARC)
`&lt;http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_sparc.deb&gt; Size/MD5 checksum: 736604 ebd2b62518e0602fbf1027686c0eb5e5 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_sparc.deb&gt; Size/MD5 checksum: 484136 e26006714e97d77159f2d0773e00e636 &lt;http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_sparc.deb&gt; Size/MD5 checksum: 1343554 76c3efda7e4a3470c5276cefa63a2448
`- --


Debian Security team <team@security.debian.org>
<http://www.debian.org/security/>
Mailing-List: debian-security-announce@lists.debian.org
`

-----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv
iQB1AwUBPUaKwajZR/ntlUftAQGXkQL/anYU8ZtJFkL/TMGvoXl/flgBSbUoJ8eH sIDsZWuh0DIJmo7vy8bXlzjTUM0Cwal5q3ZkQ4RJJjY35rWGh0uFT2tfUMYsrSR9 H/qMh54TrQl3eVSM2F1IvmFE0jTnZGD+ =TZ0F -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux __ Affected

Updated: August 09, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

`- --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT


`

PACKAGE :openssl SUMMARY :denial of service / remote root exploit DATE :2002-07-30 16:15:00
- --------------------------------------------------------------------
OVERVIEW
Multiple potentially remotely exploitable vulnerabilities has been found in OpenSSL.
DETAIL
1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (``&lt;http://www.neohapsis.com/&gt;) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.
The full advisory can be read at &lt;http://www.openssl.org/news/secadv_20020730.txt&gt;
SOLUTION
It is recommended that all Gentoo Linux users update their systems as follows.
emerge --clean rsync emerge openssl emerge clean
After the installation of the updated OpenSSL you should restart the services that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
Also, if you have an application that is statically linked to openssl you will need to reemerge that application to build it against the new OpenSSL.
`- --------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org


`

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

See <http://www.linuxsecurity.com/advisories/other_advisory-1338.html>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

+------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory July 30, 2002 | | &lt;http://www.engardelinux.org/&gt; ESA-20020730-019 | | | | Packages: openssl, openssl-misc | | Summary: several vulnerabilities in the openssl library. | +------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools.
`OVERVIEW


There are several potentially exploitable vulnerabilities in the OpenSSL
toolkit. A security review of OpenSSL is being done by A.L. Digital Ltd
and The Bunker (<http://www.thebunker.net/>) under the DARPA program
CHATS. Through this review, the following vulnerabilities were
discovered:
1. The client master key in SSL2 could be oversized and overrun a
buffer. This vulnerability was also independently discovered by
consultants at Neohapsis (`&lt;http://www.neohapsis.com/&gt;) who have also demonstrated that the vulnerability is exploitable.
2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.
3. Various buffers for ASCII representations of integers were too small on 64 bit platforms.
4. The ASN1 parser can be confused by supplying it with certain invalid encodings.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0655 to issue 3, and CAN-2002-0659 to issue 4.
`SOLUTION


Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:
`&lt;ftp://ftp.engardelinux.org/pub/engarde/stable/updates/&gt; &lt;http://ftp.engardelinux.org/pub/engarde/stable/updates/&gt;
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh files
You must now update the LIDS configuration by executing the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signatures of the updated packages, execute the command:
# rpm -Kv files
`UPDATED PACKAGES


These updated packages are for EnGarde Secure Linux Community
Edition.
Source Packages:
SRPMS/openssl-0.9.6-1.0.16.src.rpm
MD5 Sum: 158ff68fb5474993694d1dd3f623b921
Binary Packages:
i386/openssl-0.9.6-1.0.16.i386.rpm
MD5 Sum: 9f7bd4009f352a3a3a3519c97ebe988d
i386/openssl-misc-0.9.6-1.0.16.i386.rpm
MD5 Sum: 281794e60d923df695f6bcf8aa17055b
i386/openssl-devel-0.9.6-1.0.16.i386.rpm
MD5 Sum: 18b3ecd6b9d210180457caeb50a1331e
i686/openssl-0.9.6-1.0.16.i686.rpm
MD5 Sum: 872eadde6cb52bcf93fae967c72949b1
i686/openssl-misc-0.9.6-1.0.16.i686.rpm
MD5 Sum: 3baf870cbc35f3425cbd3110714ca3ed
i686/openssl-devel-0.9.6-1.0.16.i686.rpm
MD5 Sum: 718f5a6c89fac22f338177134fd5e6bd
REFERENCES


Guardian Digital's public key:
<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY>
OpenSSL's Official Web Site:
<http://www.openssl.org/>
Security Contact: security@guardiandigital.com
EnGarde Advisories: <http://www.engardelinux.org/advisories.html>
- --------------------------------------------------------------------------
$Id: ESA-20020730-019-openssl,v 1.2 2002/07/30 12:05:04 rwm Exp $


Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>
iD8DBQE9RpOJHD5cqd57fu0RAgcDAKCJ9ZLCQT+syCgSTwGR24vWbnxavwCgoUnm
JbqLWW/qISBmKIMfBsSgR5c=
=edXn
-----END PGP SIGNATURE-----`

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Support Information Digests

`===============================================================================
o Security Bulletin Digest Split


The security bulletins digest has been split into multiple digests
based on the operating system (HP-UX, MPE/iX, and HP Secure OS
Software for Linux). You will continue to receive all security
bulletin digests unless you choose to update your subscriptions.
To update your subscriptions, use your browser to access the
IT Resource Center on the World Wide Web at:
`&lt;http://www.itresourcecenter.hp.com/&gt;
Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password.
Under the notifications section (near the bottom of the page), select Support Information Digests.
To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page.
`o IT Resource Center World Wide Web Service


If you subscribed through the IT Resource Center and would
like to be REMOVED from this mailing list, access the
IT Resource Center on the World Wide Web at:
`&lt;http://www.itresourcecenter.hp.com/&gt;
Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under Maintenance and Support). You may then unsubscribe from the appropriate digest. ===============================================================================

Digest Name: daily HP Secure OS Software for Linux security bulletins digest Created: Wed Aug 7 3:00:03 PDT 2002
Table of Contents:
`Document ID Title


HPSBTL0207-055 Security vulnerability in openssl (ref. 1)
The documents are listed below.


`

Document ID: HPSBTL0207-055 Date Loaded: 20020730 Title: Security vulnerability in openssl (ref. 1)
TEXT

`---------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBTL0207-055
Originally issued: 30 July '02
Rev. 1 06 August '02


The information in the following Security Bulletin should be acted
upon as soon as possible. Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from the
customer's failure to fully implement instructions in this Security
Bulletin as soon as possible.
Because the vulnerability does not require a HP Secure OS
1.0 patch or re-packaging of the RPM affected by the bulletin, the
RPMs have not been produced or tested by Hewlett-Packard Company.
---------------------------------------------------------------
PROBLEM: Updated OpenSSL packages fix several vulnerabilities
PLATFORM: Any system running HP Secure OS Software for Linux Release 1.0
DAMAGE: Potential for remotely exploitable buffer overflow
SOLUTION: Apply the appropriate RPMs (see section B below)
MANUAL ACTIONS: None
AVAILABILITY: The RPMs are available now.
CHANGE SUMMARY: Rev. 1 Updated OpenSSL packages are available
(RHSA-2002:160)


A. Background
OpenSSL is a commercial-grade, full-featured, and Open Source
toolkit which implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library. A security
audit of the OpenSSL code sponsored by DARPA found several
buffer overflows in OpenSSL which affect versions 0.9.7 and
0.9.6d and earlier.
Rev. 1
>>> Additional OpenSSL security vulnerabilities were found,
corrected and updated in the RPM packages previously made available
under Red Hat Security Advisory number RHSA-2002:155.
`

B. Fixing the problem
Hewlett-Packard Company recommends that customers install the RPMs listed in the following Red Hat Security Advisory in the section labeled "Red Hat Linux 7.1 i386".
** Rev. 1 ** &gt;&gt;&gt; 2002-08-05 RHSA-2002:160 Updated openssl packages fix protocol parsing bugs
&gt;&gt;&gt; ``&lt;http://rhn.redhat.com/errata/RHSA-2002-160.html&gt;
To install the security bulletin RPMs, use the following sequence of commands:
1. If you use the tripwire product, we recommend that you run a a consistency check and fix any violations before installing the security bulletin RPM.
tripwire --check --interactive
2. Install the bulletin RPM from the root account.
rpm -F &lt;bulletin RPM name&gt;
3. Update the tripwire database
tripwire --check --interactive
NOTE: The rpm -q &lt;package name&gt; command can be used to determine if the package is installed. Hewlett-Packard Company recommends applying the Security Bulletin fixes to installed packages only. The -F option to the RPM installer will only apply the fix if the package is currently installed on the system. Dependent RPMs can be found by using the "Find Latest RPMs" search facility at &lt;http://www.redhat.com/apps/download&gt;. To find the latest dependent RPM enter the RPM's name in the "By Keyword" box.

C. To subscribe to automatically receive future HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:
Use your browser to access the HP IT Resource Center page at:
``&lt;http://itrc.hp.com&gt;
Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login. Remember to save the User ID assigned to you, and your password. This login provides access to many useful areas of the ITRC.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.

D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert PGP key, available from your local key server. You may also get the security-alert PGP key by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com.
Permission is granted for copying and circulating this bulletin to Hewlett-Packard Company (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes.
` Any other use of this information is prohibited. HP is not
liable for any misuse of this information by any third party.


-----End of Document ID: HPSBTL0207-055--------------------------------------`

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

IBM's AIX operating system does not ship with OpenSSL; however, OpenSSL is available for installation on AIX via the Linux Affinity Toolkit. The version included on the Toolkit CD is vulnerable to the issues discussed here as will as the version of OpenSSL available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to upgrade to the new version available from the website. This will be available within the next few days and can be downloaded from

``&lt;http://www6.software.ibm.com/dl/aixtbx/aixtbx-p&gt;
This site contains Linux Affinity applications using cryptographic algorithms. New users to this site are asked to register first.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks __ Affected

Updated: August 16, 2002

Status

Affected

Vendor Statement

Juniper has determined that our JUNOS Internet software (on M- and T-series routers) and the software running on our SDX and SSC products are potentially susceptible to the security vulnerabilities in OpenSSL. Corrected software images will be available for customer download shortly.

Software for our G10 CMTS product and our ERX products is unaffected by these vulnerabilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft __ Affected

Updated: September 23, 2002

Status

Affected

Vendor Statement

Mandrake Linux update advisory MDKSA-2002:046-1 fixes all of these issues in OpenSSL. Please see

<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-046-1.php>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD __ Affected

Notified: July 29, 2002 Updated: September 23, 2002

Status

Affected

Vendor Statement

Please see &lt;ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----

` NetBSD Security Advisory 2002-009

(updated 2002/9/22)
Topic:Multiple vulnerabilities in OpenSSL code
Version:NetBSD-current: source prior to August 10, 2002
NetBSD-1.6 beta: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not applicable
pkgsrc: prior to openssl-0.9.6f
Severity:Potential for remote root exploit
Fixed:NetBSD-current:August 10, 2002
NetBSD-1.6 branch:August 11, 2002 (1.6 includes the fix)
NetBSD-1.5 branch:August 31, 2002
pkgsrc:openssl-0.9.6f (or later)
NOTE: previous advisory had fixed dates prior to August 10.
There were errors found in the vendor-supplied fix, therefore
the fixed dates were modified. Sorry for the confusion and
thanks for the patience.
NOTE: previous revision of advisory suggested that 1.5 branch
was fixed on August 1, however the fix was found to be
insufficient. Therefore, users of 1.5 should apply the fix
presented in this revised advisory. Sorry for the confusion
and thanks for the patience.
NOTE: previous revision of advisory suggested that 1.5 branch
can be fixed by rebuilding part of the source code tree (shared
library). However, it was incorrect. Follow the instruction below
and perform a full build. Sorry for the confusion and thanks for
the patience.
`

`Abstract

There are multiple vulnerabilities found in openssl 0.9.6e and prior
releases. There are four remotely-exploitable buffer overruns in SSL2/3
code. The ASN1 parser can be confused by invalid encodings (SSL/TLS
code affected).
None of these services are enabled by default in NetBSD, however, by
enabling services built with these libraries, a system would become
vulnerable.
- From the OpenSSL advisory:
"Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable."
After the above advisory was published,
- 0.9.6e was found to be vulnerable, and 0.9.6f was released.
- 0.9.6f had some build framework errors, and 0.9.6g was released.
The NetBSD fix includes OpenSSL 0.9.6g.
`

`Technical Details

<http://www.openssl.org/news/secadv_20020730.txt><http://CERT.Uni-Stuttgart.DE/advisories/c-integer-overflow.php>`

`Solutions and Workarounds

The recent NetBSD 1.6 release is not vulnerable to this issue. A full
upgrade to NetBSD 1.6 is the recommended resolution for all users able
to do so. Many security-related improvements have been made, and
indeed this release has been delayed several times in order to include
fixes for a number of recent issues.
The following instructions describe how to upgrade your libcrypto/libssl
binaries by updating your source tree and rebuilding and
installing a new version of libcrypto/libssl.
Be sure to restart running instances of programs that use crypto libraries
(like sshd) after upgrading shared libraries.
If you have any statically-linked binaries that linked against a
vulnerable libcrypto and/or libssl, you need to recompile them.
`

* NetBSD-current:
Systems running NetBSD-current dated from before 2002-08-10 should be upgraded to NetBSD-current dated 2002-08-10 or later.
The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl
`To update from CVS, re-build, and re-install libcrypto and libssl:

cd src

cvs update -d -P crypto/Makefile.openssl crypto/dist/openssl \

lib/libcrypto lib/libssl
# make includes

cd lib/libcrypto

make cleandir dependall

make install

cd ../../lib/libssl

make cleandir dependall

make install

`

* NetBSD 1.6 beta:
Systems running NetBSD 1.6 BETAs and Release Candidates should be upgraded to the NetBSD 1.6 release.
If a source-based point upgrade is required, sources from the NetBSD 1.6 branch dated 2002-08-11 or later should be used.
The following directories need to be updated from the netbsd-1-6 CVS branch: crypto/Makefile.openssl crypto/dist/openssl lib/libcrypto lib/libssl
`To update from CVS, re-build, and re-install libcrypto and libssl:

cd src

cvs update -d -P -r netbsd-1-6 crypto/Makefile.openssl \

crypto/dist/openssl lib/libcrypto lib/libssl
# make includes

cd lib/libcrypto

make cleandir dependall

make install

cd ../../lib/libssl

make cleandir dependall

make install

`

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD-1.5.x dated from before 2002-08-31 should be upgraded to NetBSD-1.5 branch dated 2002-08-31 or later.
The following directories need to be updated from the netbsd-1-5 CVS branch. Due to the shlib major bump in libcrypto/libssl large number of shared libraries has to be rebuilt: crypto/Makefile.openssl crypto/dist/openssl lib/libasn1 lib/libcom_err lib/libcrypto lib/libgssapi lib/libhdb lib/libkadm lib/libkadm5clnt lib/libkadm5srv lib/libkafs lib/libkdb lib/libkrb lib/libkrb5 lib/libkstream lib/libroken lib/libsl lib/libss lib/libtelnet usr.bin/openssl
All userland tools that use openssl needs to be rebuilt, due to the shlib major bump. Therefore, full rebuild is suggested. Make sure to rebuild all binaries installed by pkgsrc as well.
`To update from CVS, re-build, and re-install libcrypto and libssl:

cd src

cvs update -d -P -r netbsd-1-5 <directories listed above>

# make build
`

* NetBSD 1.4, 1.4.1, 1.4.2, 1.4.3:
OpenSSL was not included in the base system in NetBSD-1.4.* Follow the directions for pkgsrc if you have installed it from pkgsrc.

* pkgsrc:
openssl (pkgsrc/security/openssl) prior to 0.9.6f are vulnerable. Upgrade to openssl-0.9.6f or later; pkgsrc currently contains 0.9.6g at time of this writing.
Packages which require openssl can be found by running 'pkg_info openssl'. Depending on the method you choose to update pkgsrc packages, a rebuild of the packages on that list may be performed for you by the package system. If you update using the experimental 'make replace' target, you will need to manually update any packages which build static binaries with libssl.a and libcrypto.a
If you have statically linked binaries in pkgsrc, they have to be rebuilt. Statically linked binaries can be identified by the following command (note: be sure to include the directory you install pkgsrc binaries to, if you've changed LOCALBASE from the default of /usr/pkg)
file /usr/pkg/{bin,sbin,libexec} | grep static

`Thanks To

A.L. Digital Ltd and John McDonald of Neohapsis.
Adi Stav and James Yonan.
CERT and the OpenSSL team.
Jun-ichiro itojun Hagino for maintenance of OpenSSL in the NetBSD
source tree, and preparing the initial advisory text.
The NetBSD Release Engineering teams, for great patience and
assistance in dealing with repeated security issues discovered
recently.
`

`Revision History

2002-08-01Initial release based on 0.9.6e
2002-08-11based on 0.9.6f
2002-08-311.5 pullup done, 0.9.6g
2002-09-16Re-release with updated information
`

`More Information

An up-to-date PGP signed copy of this release will be maintained at
&lt;ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc&gt;
Information about NetBSD and NetBSD security can be found at
&lt;http://www.NetBSD.ORG/&gt; and &lt;http://www.NetBSD.ORG/Security/&gt;.
`

Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-009.txt,v 1.39 2002/09/23 01:57:19 itojun Exp $

-----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv
iQCVAwUBPY51AD5Ru2/4N2IFAQEjJQP9GumaWgktTcobgsO+3Iq+x0Adg/fTMZ4r hUPQNT1wTAFep9iSGJz+f8G4CvJjvbzplHhvcjPL14zbs+8U/cZhjeeLibJKgoCt 7Hwu9QLq12x0VlUoj0G1HJSQFKBO/+zFvCSxF1M/+pldOv6mfoEHygBM/xoRPHUI z5G1Uv/irT8= =ELua -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenLDAP __ Affected

Notified: July 30, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Rebuilding OpenLDAP with updated versions of OpenSSL should adequately address reported issues. Those using packaged versions of OpenLDAP should contact the package distributor for update information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG __ Affected

Updated: August 09, 2002

Status

Affected

Vendor Statement

See <http://www.openpkg.org/security/OpenPKG-SA-2002.008-openssl.html>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

________________________________________________________________________
`OpenPKG Security Advisory The OpenPKG Project
<http://www.openpkg.org/security.html> <http://www.openpkg.org>
openpkg-security@openpkg.org openpkg@openpkg.org
OpenPKG-SA-2002.008 30-Jul-2002


Package: openssl
Vulnerability: denial of service / remote root exploit
OpenPKG Specific: no
Affected Releases: OpenPKG 1.0 OpenPKG CURRENT
Affected Packages: <= openssl-0.9.6b-1.0.0 <= openssl-0.9.6d
Corrected Packages: >= openssl-0.9.6b-1.0.1 >= openssl-0.9.6e
Dependent Packages: apache apache
curl bind
fetchmail cadaver
imapd cpu
inn curl
links dsniff
lynx exim
mutt fetchmail
openldap imapd
openssh inn
perl-ssl links
postfix lynx
postgresql mutt
qpopper neon
samba openldap
sasl openssh
scanssh openvpn
sendmail perl-ssl
siege postfix
sitecopy postgresql
snmp qpopper
stunnel rdesktop
tcpdump samba
w3m sasl
scanssh
sendmail
siege
sitecopy
snmp
stunnel
sysmon
tcpdump
w3m
Description:
According to an official security advisory from the OpenSSL team,
there are four remotely exploitable buffer overflows that affect
various OpenSSL client and server implementations [5]. There are
also parsing problems in the ASN.1 library used by OpenSSL. The
Common Vulnerabilities and Exposures (CVE) project assigned the
ids CAN-2002-0655 [6], CAN-2002-0656 [7], CAN-2002-0657 [8] and
CAN-2002-0659 [9] to the problems. Several of these vulnerabilities
could be used by a remote attacker to execute arbitrary code on the
target system. All could be used to create a denial of service.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution). Additionally, you have to rebuild and reinstall all
dependent OpenPKG packages, too. [2]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[4], fetch it from the OpenPKG FTP service [3] or a mirror location,
verify its integrity [1], build a corresponding binary RPM from it
and update your OpenPKG installation by applying the binary RPM [2].
For the latest OpenPKG 1.0 release, perform the following operations
to permanently fix the security problem (for other releases adjust
accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.0/UPD
ftp> get openssl-0.9.6b-1.0.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm --checksig openssl-0.9.6b-1.0.1.src.rpm
$ <prefix>/bin/rpm --rebuild openssl-0.9.6b-1.0.1.src.rpm
$ su -

<prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.6b-1.0.1.*.rpm

Now proceed and rebuild and reinstall all dependent OpenPKG packages,
too (see list above).


References:
[1] <http://www.openpkg.org/security.html#signature>
[2] <http://www.openpkg.org/tutorial.html#regular-source>
[3] <ftp://ftp.openpkg.org/release/1.0/UPD/>
[4] <ftp://ftp.openpkg.org/release/1.0/UPD/openssl-0.9.6b-1.0.1.src.rpm>
[5] <http://www.openssl.org/news/secadv_20020730.txt>
[6] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655>
[7] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659>


For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
<http://www.openpkg.org/openpkg.pgp> or on <http://keyserver.pgp.com/>. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (<http://www.gnupg.org/>). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".


-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>
iEYEARECAAYFAj1GjigACgkQgHWT4GPEy5+F4wCgu8B6yxJsB6Lu7bygw9FKUAhH
4xsAoKTteo/qotFgoki3JYpuGufyp4vL
=k9ol
-----END PGP SIGNATURE-----`

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL __ Affected

Notified: July 22, 2002 Updated: July 30, 2002

Status

Affected

Vendor Statement

Please see <http://www.openssl.org/news/secadv_20020730.txt>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Please see <http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Oracle Security Alert #37
Dated: 1 August, 2002
Updated: 5 August, 2002

OpenSSL Security Vulnerability

Products affected:

Oracle HTTP Server (OHS) shipped with the database up to and
including version 9.2.0.
Oracle9iAS versions earlier than 9.0.2, including all versions
1.0.2.x.
CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1,
3.1.2, and 3.3 on Windows 98, NT, 2K, XP.

Description:

There are remotely exploitable buffer overflow vulnerabilities in
OpenSSL versions prior to 0.9.6e.
These vulnerabilities may allow a remote attacker to execute
arbitrary code or perform a denial-of-service (DoS) attack.

These problems are described in the OpenSSL Security Advisory [30
July 2002]:

[25]&lt;http://www.openssl.org/news/secadv_20020730.txt&gt;

These problems are also described in CERT Advisory CA-2002-23:

[26]&lt;http://www.cert.org/advisories/CA-2002-23.html&gt;

Workarounds:

There are no workarounds against the potential denial-of-service
attack. Disabling SSL should prevent remote execution of code.

Users of Corporate Time Outlook Connector can disable TLS by adding
the following section to the CTOC.INI file:
[CTOC]
allow-tls=FALSE

NOTE:

Disabling SSL or TLS will result in data being transmitted in the
clear (i.e. unencrypted), including passwords when using Basic
Authentication.

Patch Information:

Patches will be made available on MetaLink for Patch 2492925 as
scheduled in the following table:
Product Download Release Solaris NT HPUX Linux AIX TRU64
iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02
08/15/02
iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02
08/09/02
iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02
08/12/02
iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02
08/14/02
RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02
08/08/02 08/08/02
RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02
08/13/02 08/13/02
RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02
08/16/02 08/16/02

Upgrade Information:

New releases of the Corporate Time Outlook Connector will address
this vulnerability.
The following releases are scheduled to be released around 16
August, 2002:
1. CorporateTime Outlook Connector 3.3.1
2. Oracle Outlook Connector 3.4

Copyright © 2002, Oracle Corporation. All rights reserved.
[27]Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy
Statement

References

25. ``&lt;http://www.openssl.org/news/secadv_20020730.txt&gt;
26. ``&lt;http://www.cert.org/advisories/CA-2002-23.html&gt;
27. ``&lt;http://otn.oracle.com/contact&gt;
28. ``&lt;http://www.oracle.com/html/index.html?copyright.html&gt;
29. ``&lt;http://www.oracle.com/html/index.html?privacy.html&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RSA Security __ Affected

Updated: September 13, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see &lt;http://www.rsasecurity.com/products/bsafe/bulletins/BSAFE_SSL_Products_Security_Bulletin_Aug_8_2002.pdf&gt;

BSAFE_SSL_Products_Security_Bulletin_Aug_8_2002.pdf

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. __ Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Affected

Vendor Statement

Red Hat distributes affected versions of OpenSSL in all Red Hat Linux distributions as well as the Stronghold web server. Red Hat Linux errata packages that fix the above vulnerabilities (CAN-2002-0655 and CAN-2002-0656) are available from the URL below. Users of the Red Hat Network are able to update their systems using the 'up2date' tool. A future update will fix the potential remote DOS in the ASN.1 encoding (CAN-2002-0659).

<http://rhn.redhat.com/errata/RHSA-2002-155.html>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation __ Affected

Updated: September 30, 2002

Status

Affected

Vendor Statement

In response to the CERT Advisory CA-2002-23, Secure Computing has posted a software patch for all users of the SafeWord PremierAccess version 3.1 authentication system. All existing and new customers are advised to download and apply PremierAccess Patch 1. Patch 1(3.1.0.01) is available for immediate web download at

<http://www.securecomputing.com/index.cfm?skey=1109>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE __ Affected

Updated: September 23, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
SuSE Security Announcement
Package: openssl/Slapper worm Announcement-ID: SuSE-SA:2002:033 Date: Thu Sep 19 2002 Affected products: 7.0, 7.1, 7.2, 7.3, 8.0 SuSE Linux Database Server, SuSE eMail Server III, SuSE eMail Server 3.1, SuSE Linux Enterprise Server, SuSE Linux Firewall on CD, SuSE Linux Enterprise Server 7 SuSE Linux Office Server Vulnerability Type: buffer overflow Severity (1-10): 9 SuSE default package: yes Cross References:CVE CAN-2002-0655, CAN-2002-0656, CAN-2002-0659, SuSE-SA:2002:027
Content of this advisory: 1) vulnerabilities in openssl libraries; Slapper worm 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
This advisory is issued in an attempt to clarify any issues surrounding the recently discovered Apache/mod_ssl worm.
On July 30, we released a security advisory concerning vulnerabilities in OpenSSL, including a buffer overflow in the SSL code. This vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory ``&lt;http://www.cert.org/advisories/CA-2002-23.html&gt;``) is currently being exploited by a worm called Slapper, propagating through Apache's mod_ssl module.
It is worth noting that even though the worm infects Apache through mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in the OpenSSL library used by mod_ssl.
This also means that Apache may not be the only service vulnerable to an attack via the SSL bug. Similar exploits may be possible against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled services.
As a workaround, it is also possible to disable SSLv2 in mod_ssl (as described in our previous advisory SuSE-SA:2002:027; ``&lt;http://www.suse.com/de/security/2002_027_openssl.html&gt;``), but you should be aware that this does not protect other SSL based servers that may be running on your machine.

We have received numerous inquiries from SuSE users on whether the update packages provided by SuSE as part of SA:2002:027 fix this bug even though they do not contain the latest OpenSSL version recommended in various advisories.
To clarify this, we would like to state that these packages DO FIX the bug exploited by the Slapper worm. Following established policy, we did this by applying a source code patch instead of upgrading to a newer version, because the latter usually causes serious problems for many users (in particular, different versions of OpenSSL libraries are not always API compatible).

However, it turns out that a number of packages were statically linked against OpenSSL libraries:
mod_ssl (SuSE Linux 7.0): We have released rebuilt mod_ssl packages linked against the most recent OpenSSL libraries.
If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl, too.
sendmail-tls (SuSE Linux 7.1, 7.2, 7.3): Sendmail-tls, the SSL enabled version of sendmail, was linked statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security impact of this problem is probably the same as with Apache and mod_ssl.
We are releasing rebuilt packages linked against the most OpenSSL libraries.
Sendmail-tls is not part of the default installation profile.
If you are using sendmail-tls, we strongly recommend you upgrade to the latest packages provided on our FTP servers.
openssh (SuSE Linux 7.1, 7.2 and 7.3): Ssh and sshd do not use any SSL functionality, and thus are not susceptible to the type of attack carried out by the Slapper worm.
To date, we are not aware of any way to exploit them. We nevertheless recommend to upgrade to the latest versions provided on our FTP site.
freeswan (SuSE Linux 7.1, 7.2): FreeSWAN includes a utility named fswcert for creating and manipulating X.509 certificates, which is also linked statically against libcrypto.
To date, we are not aware of any way to exploit them. We nevertheless recommend to upgrade to the latest versions provided on our FTP site as soon as they become available (2002 Sep 20).
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
mod_php4: we are preparing an update of mod_php4 addressing various vulnerabilities that have been published recently.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package.
1) execute the command md5sum &lt;name-of-the-file.rpm&gt; after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig &lt;file.rpm&gt; to verify the signature of the package, where &lt;file.rpm&gt; is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an uninstalled rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg &lt; announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the toplevel directory of the first CD (pubring.gpg) and at ``&lt;ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de&gt;`` .

- SuSE runs two security mailing lists to which any interested party may subscribe:
suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to &lt;suse-security-subscribe@suse.com&gt;.
suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security annoucements are sent to this list. To subscribe, send an email to &lt;suse-security-announce-subscribe@suse.com&gt;.
For general information or the frequently asked questions (faq) send mail to: &lt;suse-security-info@suse.com&gt; or &lt;suse-security-faq@suse.com&gt; respectively.
` =====================================================================
SuSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================


The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see &lt;http://www.gnupg.org&gt;
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3in
Charset: noconv
iQEUAwUBPYrQdney5gA9JdPZAQEx+wf1GPGG2o1vDa1V/jqaL6typ0jNlq1Rb8nG
lcI3Dp5V3lKBCOmMkRLdBE6+FNCRaEi6dN001WzJFsAMt4QjxW3Zk3ix8vRwPdgw
1jVSJkh+7yKQttMki7ff2SmmEbVBg+kmnVKq0GRQoOJlVN7L7RdzyjdMyYwnqxRG
T37bZMwgl+76qkZWuVNKwukRYkopb6PT5nszVjSFwcX69yTu+tO5Y0INyHi6dWXY
b8nxN24Lg0DSTgH85bG8fW1Ad02o9Iv7RPS6W1Geu+yq8TgxES9oCZatltU6r4yX
F2AjkRMipCagdHc+aMSCtnoFC3Yes/vySJUE80iTbCy9dno5eJ/a
=pVWJ
-----END PGP SIGNATURE-----`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix __ Affected

Updated: August 09, 2002

Status

Affected

Vendor Statement

See <http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt>, and "Addition to Trustix Secure Linux Bugfix Advisory #2002-0063" below.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2002-0063
Package name: openssl Summary: Multiple security problems Date: 2002-07-29 Affected versions: TSL 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description: Several severe security problems have been found in the openssl source code which upon the TSL openssl packages are based. Most of these vulnerabilities have a potential for remote expoitation, even though no exploits are currently released. The upstream development group have provided us with patches that fixes the problems.
These issues have been asigned the following CVE names: CAN-2002-0655, CAN-2002-0656, and CAN-2002-0659.
More information: &lt;URI: &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655&gt;&gt; &lt;URI: &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656&gt;&gt; &lt;URI: &lt;http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659&gt;&gt;
Action: We recommend that all systems with this package installed are upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system.

Location: All TSL updates are available from &lt;URI:&lt;http://www.trustix.net/pub/Trustix/updates/&gt;&gt; &lt;URI:&lt;ftp://ftp.trustix.net/pub/Trustix/updates/&gt;&gt;

Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.
Get SWUP from: &lt;URI:&lt;ftp://ftp.trustix.net/pub/Trustix/software/swup/&gt;&gt;

Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at &lt;URI:&lt;http://www.trustix.net/pub/Trustix/testing/&gt;&gt; &lt;URI:&lt;ftp://ftp.trustix.net/pub/Trustix/testing/&gt;&gt;

Questions? Check out our mailing lists: &lt;URI:&lt;http://www.trustix.net/support/&gt;&gt;

Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: &lt;URI:&lt;http://www.trustix.net/TSL-GPG-KEY&gt;&gt;
The advisory itself is available from the errata pages at &lt;URI:&lt;http://www.trustix.net/errata/trustix-1.2/&gt;&gt; and &lt;URI:&lt;http://www.trustix.net/errata/trustix-1.5/&gt;&gt; or directly at &lt;URI:&lt;http://www.trustix.net/errata/misc/2002/TSL-2002-0063-openssl.asc.txt&gt;&gt;

`MD5sums of the packages:


0c51861ce4432c3f669657e2c4971c6f ./1.5/SRPMS/openssl-0.9.6-10tr.src.rpm
eb8a64dba138584b8085aec8d9ccaf0c ./1.5/RPMS/openssl-support-0.9.6-10tr.i586.rpm
9db293f035fbd82a3482ab87d3465eb2 ./1.5/RPMS/openssl-python-0.9.6-10tr.i586.rpm
582d08bb63676a33da1aa89a33a05914 ./1.5/RPMS/openssl-devel-0.9.6-10tr.i586.rpm
2d05569684b868cbacca9e389ded3f0f ./1.5/RPMS/openssl-0.9.6-10tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.2/SRPMS/openssl-0.9.6-3tr.src.rpm
84b50e02167b61a9d3093bcc055c7b45 ./1.2/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
b0c3b99917e1c69f593a74b9989a33f9 ./1.2/RPMS/openssl-0.9.6-3tr.i586.rpm
96053f774317702af40705697a2460d4 ./1.1/SRPMS/openssl-0.9.6-3tr.src.rpm
111d6f3e42c2410a11ac4704036a31ef ./1.1/RPMS/openssl-devel-0.9.6-3tr.i586.rpm
23d4bef487e86dfff1854f3f3c6fd867 ./1.1/RPMS/openssl-0.9.6-3tr.i586.rpm


`

Trustix Security Team

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see &lt;http://www.gnupg.org&gt;
iD8DBQE9RSsqwRTcg4BxxS0RAgv0AJsGLRMNaZ2pmZdE4NRQCLgfRpNLygCdHfkE 3bFFVLoH4NXOBs+mT/i8T4E= =Ydxh -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- -------------------------------------------------------------------------- Addition to Trustix Secure Linux Bugfix Advisory #2002-0063
Package name: openssl Summary: Restart services Date: 2002-08-01 Affected versions: TSL 1.1, 1.2, 1.5
- --------------------------------------------------------------------------
Problem description: I really hope all of you have updated the openssl package. :)
Most of you know this already, and I'm sorry I didn't include this in the openssl advisory earlier this week. But here it goes:
Since openssl is a shared library, all services linked against this library must be restarted for the changes to take affect.
The list of services is long and includes (but are not limited to):
httpd (mod_php4 is linked against libssl) httpsd simap pop3s postfix postgresql smb (maybe also winbind) sshd

Action: We recommend that all services that are linked against openssl are restarted.

Get SWUP from: &lt;URI:&lt;ftp://ftp.trustix.net/pub/Trustix/software/swup/&gt;&gt;
Questions? Check out our mailing lists: &lt;URI:&lt;http://www.trustix.net/support/&gt;&gt;
Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: &lt;URI:&lt;http://www.trustix.net/TSL-GPG-KEY&gt;&gt;

Trustix Security Team
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see &lt;http://www.gnupg.org&gt;
iD8DBQE9SQ9hwRTcg4BxxS0RAvABAJ4jrAH8CyFLWpcGguZElQgdL88tmgCfXv2Z AorvR78koxCwr7qGSPbZX+A= =WAGZ -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Inktomi Corporation __ Not Affected

Updated: September 17, 2002

Status

Not Affected

Vendor Statement

As noted in theadvisory, server log messages such as

GET /mod_ssl:error:HTTP-request HTTP/1.0
do not necessarily indicate access by a compromised system. Any HTTP request to a port expecting to serve HTTPS requests will generate this log message. The Inktomi web crawler follows URL links published on public web pages and is sometimes incorrectly directed to https servers. The crawler does not use Apache nor mod_ssl (nor any kind of SSL), so it is not subject to the compromise described in this advisory. But crawler requests can match two of the listed symptoms of the Apache/mod_ssl worm:
Probing -- Scanning on 80/tcp Propagation -- Connections to 443/tcp
The crawler does not use port 2002 nor UDP. Port 80 access or HTTPS handshake errors from an Inktomi web crawler do not represent an attack on your web server.
Inktomi crawler systems have hostnames of the form
j[1-9][0-9][0-9][0-9].inktomisearch.com si[1-9][0-9][0-9][0-9].inktomisearch.com
The IP addresses of Inktomi crawler hosts will reverse-DNS resolve to a name of this form.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The advisory mentioned in the statement above refers to CERT® Advisory CA-2002-27 Apache/mod_ssl Worm. It had initially misidentified early reports of log entries containing "GET /mod_ssl:error:HTTP-request HTTP/1.0"as potential signs of infection with the Apache/mod_ssk "Slapper" Worm.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Development Corporation __ Not Affected

Notified: July 29, 2002 Updated: August 09, 2002

Status

Not Affected

Vendor Statement

Lotus products do not use OpenSSL or an SSLeay library, so they are not vulnerable. We further analyzed our SSL implementation for the issues reported in the advisory and determined that our products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation __ Not Affected

Updated: September 26, 2002

Status

Not Affected

Vendor Statement

Microsoft products do not use the libraries in question. Microsoft products are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache Unknown

Notified: July 30, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache-SSL Unknown

Notified: July 29, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NCSA Unknown

Notified: July 30, 2002 Updated: August 09, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 25 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

<http://www.securityfocus.com/bid/5363>

Acknowledgements

The CERT/CC thanks Greg Shipley of Neohapsis for reporting this issue to us. John McDonald is credited for discovering this issue. It was also found independently by A.L. Digital Ltd.

This document was written by Jason A Rafail.

Other Information

CVE IDs: | CVE-2002-0656
---|---
CERT Advisory: | CA-2002-23
Severity Metric: | 17.63
Date Public: | 2002-07-30
Date First Published: | 2002-07-30
Date Last Updated: | 2002-09-30 20:51 UTC
Document Revision: | 38