Skip to navigation

Security Advisory Updated openssl packages fix remote vulnerabilities

Advisory: RHSA-2002:155-11
Type: Security Advisory
Severity: N/A
Issued on: 2002-07-25
Last updated on: 2002-07-29
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
Red Hat Linux 7.3
CVEs (cve.mitre.org): CVE-2002-0655
CVE-2002-0656

Details

Updated OpenSSL packages are available which fix several serious buffer
overflow vulnerabilities.

OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library. A security audit of the OpenSSL code sponsored by
DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7
and 0.9.6d and earlier:

1. The master key supplied by a client to an SSL version 2 server could be
oversized, causing a stack-based buffer overflow. This issue is remotely
exploitable. Services that have SSLv2 disabled would not be vulnerable to
this issue. (CAN-2002-0656)

2. The SSLv3 session ID supplied to a client from a malicious server could
be oversized and overrun a buffer. This issue looks to be remotely
exploitable. (CAN-2002-0656)

3. Various buffers used for storing ASCII representations of integers were
too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)

A further issue was found in OpenSSL 0.9.7 that does not affect versions of
OpenSSL shipped with Red Hat Linux (CAN-2002-0657).

A large number of applications within Red Hat Linux make use the OpenSSL
library to provide SSL support. All users are therefore advised to upgrade
to the errata OpenSSL packages, which contain patches to correct these
vulnerabilities.

NOTE:

Please read the Solution section below as it contains instructions for
making sure that all SSL-enabled processes are restarted after the update
is applied.

Thanks go to the OpenSSL team and Ben Laurie for providing patches for
these issues.


Solution

IMPORTANT:

Because both client and server applications are affected by these
vulnerabilities, we advise users to reboot their systems after installing
these updates.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
openssl-0.9.5a-26.src.rpm
File outdated by:  RHSA-2002:160
    MD5: 61c1681e13328fe5cc5de13003cecbfa
 
Alpha:
openssl-0.9.5a-26.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: b5a092d4197eabfaefeed4d260d1b98e
openssl-devel-0.9.5a-26.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 711624c0394b7c0fca42750726d32f3d
openssl-perl-0.9.5a-26.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 76d65cd6d29616fd9933912b09bede48
openssl-python-0.9.5a-26.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 267eb03ac96a182b9fa11a5ba3b9389d
 
IA-32:
openssl-0.9.5a-26.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: b99f516e99f7b0b90feea4cd0fb1edab
openssl-devel-0.9.5a-26.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 0ffd8b3d708b8fdcc6bc6ae91f3d1940
openssl-perl-0.9.5a-26.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: b9db1140f4806ec3f4f1a832aad21afc
openssl-python-0.9.5a-26.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 388b3147b88607bb47b563532b4ff155
 
Sparc:
openssl-0.9.5a-26.sparc.rpm
File outdated by:  RHSA-2002:160
    MD5: 810e6131fee818819213d326c596719b
openssl-devel-0.9.5a-26.sparc.rpm
File outdated by:  RHSA-2002:160
    MD5: 9ab8a7b059a198837cad649e7c4b1f92
openssl-perl-0.9.5a-26.sparc.rpm
File outdated by:  RHSA-2002:160
    MD5: e4ab888ccd8200c66de485408b3518b9
openssl-python-0.9.5a-26.sparc.rpm
File outdated by:  RHSA-2002:160
    MD5: 305e69febe8751a6839324593be55087
 
Red Hat Linux 7.0

SRPMS:
openssl-0.9.6-10.src.rpm
File outdated by:  RHSA-2002:160
    MD5: 6a1a51baec50250feb6a7df0914c086d
openssl095a-0.9.5a-14.src.rpm
File outdated by:  RHSA-2003:291
    MD5: ddd832b579f5f92234fd3bdc0088585c
 
Alpha:
openssl-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 80e27f1105c86ad37f47ed9c6da01e75
openssl-devel-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: fe5999b2892ef3af48707a0900d24741
openssl-perl-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 7f0ad5a594254071c63d46c554a73cfe
openssl-python-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 30fb55bf1ff5f8113fe4fce2907db6de
openssl095a-0.9.5a-14.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 2c67e47754d3c46828a46b858d5227e5
 
IA-32:
openssl-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 9b9780f4124111d800cbc698f601eed4
openssl-devel-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: d81f3d47b8d725bb71ad7809c81e0486
openssl-perl-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 776c915db7a72e5f22cdffadfb56f2c9
openssl-python-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 1c916fb95c1b8f9c44840667a4aea2cd
openssl095a-0.9.5a-14.i386.rpm
File outdated by:  RHSA-2003:101
    MD5: 9f4ddecdbc78517f7e43648132c9873a
 
Red Hat Linux 7.1

SRPMS:
openssl-0.9.6-10.src.rpm
File outdated by:  RHSA-2002:160
    MD5: 6a1a51baec50250feb6a7df0914c086d
openssl095a-0.9.5a-14.src.rpm
File outdated by:  RHSA-2003:291
    MD5: ddd832b579f5f92234fd3bdc0088585c
 
Alpha:
openssl-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 80e27f1105c86ad37f47ed9c6da01e75
openssl-devel-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: fe5999b2892ef3af48707a0900d24741
openssl-perl-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 7f0ad5a594254071c63d46c554a73cfe
openssl-python-0.9.6-10.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 30fb55bf1ff5f8113fe4fce2907db6de
openssl095a-0.9.5a-14.alpha.rpm
File outdated by:  RHSA-2002:160
    MD5: 2c67e47754d3c46828a46b858d5227e5
 
IA-32:
openssl-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 9b9780f4124111d800cbc698f601eed4
openssl-devel-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: d81f3d47b8d725bb71ad7809c81e0486
openssl-perl-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 776c915db7a72e5f22cdffadfb56f2c9
openssl-python-0.9.6-10.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 1c916fb95c1b8f9c44840667a4aea2cd
openssl095a-0.9.5a-14.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 9f4ddecdbc78517f7e43648132c9873a
 
IA-64:
openssl-0.9.6-10.ia64.rpm
File outdated by:  RHSA-2002:160
    MD5: 0c246f63818de647a1b1810187c13381
openssl-devel-0.9.6-10.ia64.rpm
File outdated by:  RHSA-2002:160
    MD5: 5966099d03ba051a1784f7eba666815b
openssl-perl-0.9.6-10.ia64.rpm
File outdated by:  RHSA-2002:160
    MD5: 30d8263af19b234b1ff6b48915a4760d
openssl-python-0.9.6-10.ia64.rpm
File outdated by:  RHSA-2002:160
    MD5: 0eb73d5aa9c2a0f693ff8c60bf4a9321
openssl095a-0.9.5a-14.ia64.rpm
File outdated by:  RHSA-2002:160
    MD5: 5e6e3c534cac94d57e14fae37f213333
 
Red Hat Linux 7.2

SRPMS:
openssl-0.9.6b-24.src.rpm
File outdated by:  RHSA-2003:291
    MD5: 93ab0985d11a15fe39e24a548b1885e6
openssl095a-0.9.5a-14.src.rpm
File outdated by:  RHSA-2003:291
    MD5: ddd832b579f5f92234fd3bdc0088585c
openssl096-0.9.6-9.src.rpm
File outdated by:  RHSA-2003:291
    MD5: 449151345e809f531c316cb9d1df033b
 
IA-32:
openssl-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: c181eab20db43421e20a0e5cd18a1b0d
openssl-0.9.6b-24.i686.rpm
File outdated by:  RHSA-2003:291
    MD5: 0189237bd50fc00fb777cd782aa70e2e
openssl-devel-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: b74adb3f6208aeddfda7d1b1f0063802
openssl-perl-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 189345f3cee952484fcd2a40246aa28b
openssl095a-0.9.5a-14.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 9f4ddecdbc78517f7e43648132c9873a
openssl096-0.9.6-9.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: c37591c97b216af1290cfcc82e74abb3
 
IA-64:
openssl-0.9.6b-24.ia64.rpm
File outdated by:  RHSA-2003:291
    MD5: a5e045a90bf2fae63b9fd7c7a7ed265b
openssl-devel-0.9.6b-24.ia64.rpm
File outdated by:  RHSA-2003:291
    MD5: 1c047ebddc6b5bad180bba5eb6549f63
openssl-perl-0.9.6b-24.ia64.rpm
File outdated by:  RHSA-2003:291
    MD5: 2e96f756ac9fab96db2e2e672f11b62b
openssl095a-0.9.5a-14.ia64.rpm
File outdated by:  RHSA-2003:291
    MD5: 5e6e3c534cac94d57e14fae37f213333
openssl096-0.9.6-9.ia64.rpm
File outdated by:  RHSA-2003:291
    MD5: e402bc51ebe69e9e18132a29f1555c15
 
Red Hat Linux 7.3

SRPMS:
openssl-0.9.6b-24.src.rpm
File outdated by:  RHSA-2003:291
    MD5: 93ab0985d11a15fe39e24a548b1885e6
openssl095a-0.9.5a-14.src.rpm
File outdated by:  RHSA-2003:291
    MD5: ddd832b579f5f92234fd3bdc0088585c
openssl096-0.9.6-9.src.rpm
File outdated by:  RHSA-2003:291
    MD5: 449151345e809f531c316cb9d1df033b
 
IA-32:
openssl-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: c181eab20db43421e20a0e5cd18a1b0d
openssl-0.9.6b-24.i686.rpm
File outdated by:  RHSA-2003:291
    MD5: 0189237bd50fc00fb777cd782aa70e2e
openssl-devel-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: b74adb3f6208aeddfda7d1b1f0063802
openssl-perl-0.9.6b-24.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 189345f3cee952484fcd2a40246aa28b
openssl095a-0.9.5a-14.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: 9f4ddecdbc78517f7e43648132c9873a
openssl096-0.9.6-9.i386.rpm
File outdated by:  RHSA-2003:291
    MD5: c37591c97b216af1290cfcc82e74abb3
 

References


Keywords

key, master, OpenSSL, session


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/