openssl, mm security update for Stronghold

Updated Apache packages are available which fix several serious buffer
overflow vulnerabilities in OpenSSL and a local privilege escalation
vulnerability in MM.

Note:

Please read the "Solution" section below as there are special upgrade
instructions for this errata.

-----------

OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library. A security audit of the OpenSSL code sponsored by
DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7
and 0.9.6d and earlier:

1. The master key supplied by a client to an SSL version 2 server could be
oversized, causing a stack-based buffer overflow. This issue is remotely
exploitable. Services that have SSLv2 disabled would not be vulnerable to
this issue. (CAN-2002-0656)

2. The SSLv3 session ID supplied to a client from a malicious server could
be oversized and overrun a buffer. This issue looks to be remotely
exploitable. (CAN-2002-0656)

3. Various buffers used for storing ASCII representations of integers were
too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)

A further issue was found in OpenSSL 0.9.7 that does not affect versions of
OpenSSL included in Stronghold (CAN-2002-0657).

The MM library provides an abstraction layer which allows related processes
to easily share data. On systems where shared memory or other
inter-process communication mechanisms are not available, the MM library
will emulate them using temporary files. MM is used in Stronghold to
providing shared memory pools to Apache modules.

Versions of MM up to and including 1.1.3 open temporary files in an unsafe
manner, allowing a malicious local user to cause an application which uses
MM to overwrite any file to which it has write access. (CAN-2002-0658)

All users are advised to upgrade to these errata packages which contain a
patched version of MM that is not vulnerable to this issue.

Thanks go to the OpenSSL team, Ben Laurie, and Marcus Meissner for
providing patches for these issues.

We have backported the security fixes for the versions of OpenSSL
and mm included in Stronghold 4. The fixed packages are now available via
the update agent service; run

$ bin/agent

from the Stronghold 4 install root to upgrade an existing Stronghold 4
installation to the new package versions.

Due to a bug in the update agent, users of Solaris on Intel platforms
should create a file "conf/update-agent.conf" in the install root,
containing the following two lines:

[agent]
ignore: RPMPROB_FILTER_IGNOREARCH

After the appropriate updates have been applied, it will be necessary to
manually restart the server with the following commands:

$ bin/stop-server
$ bin/start-server

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0659

file, key, master, mm, OpenSSL, session, temporary