-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ Debian Security Advisory DSA-136-2 security@debian.org http://www.debian.org/security/ Michael Stone September 15, 2002 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : openssl094, openssl095, openssl Problem type : multiple remote exploits Debian-specific: no CVE : CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 Note: this advisory is an update to DSA-136-1, issued 30 Jul 2002. It includes ASN1 updates in the woody packages, plus the potato packages which were not initially available. The OpenSSL development team has announced that a security audit by A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has revealed remotely exploitable buffer overflow conditions in the OpenSSL code. Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack independently discovered by Adi Stav and James Yonan. CAN-2002-0655 references overflows in buffers used to hold ASCII representations of integers on 64 bit platforms. CAN-2002-0656 references buffer overflows in the SSL2 server implementation (by sending an invalid key to the server) and the SSL3 client implementation (by sending a large session id to the client). The SSL2 issue was also noticed by Neohapsis, who have privately demonstrated exploit code for this issue. CAN-2002-0659 references the ASN1 parser DoS issue. These vulnerabilities have been addressed for Debian 3.0 (woody) in openssl094_0.9.4-6.woody.1, openssl095_0.9.5a-6.woody.1 and openssl_0.9.6c-2.woody.1. These vulnerabilities are also present in Debian 2.2 (potato). Fixed packages are available in openssl094_0.9.4-6.potato.0 and openssl_0.9.6c-0.potato.4. Only i386 packages for openssl094 and openssl095 are available at this time; other architectures will be made available as soon as possible. A worm is actively exploiting this issue on internet-attached hosts; we recommend you upgrade your OpenSSL as soon as possible. Note that you must restart any daemons using SSL. (E.g., ssh or ssl-enabled apache.) If you are uncertain which programs are using SSL you may choose to reboot to ensure that all running daemons are using the new libraries. - ------------------------------------------------------------------------ Obtaining updates: By hand: wget URL will fetch the file for you. dpkg -i FILENAME.deb will install the fetched file. With apt: deb http://security.debian.org/ stable/updates main added to /etc/apt/sources.list will provide security updates Additional information can be found on the Debian security webpages at http://www.debian.org/security/ - ------------------------------------------------------------------------ Debian 2.2 (potato) - ---------------------- Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.t ar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.o rig.tar.gz Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4.dsc Size/MD5 checksum: 741 9c7e0cf669a32763f4bf9669156a2235 http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6 .potato.0.dsc Size/MD5 checksum: 702 463aa33d08d188542208e82734269eab http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6 .potato.0.diff.gz Size/MD5 checksum: 44354 d06b01d6f91e901d3e2686df4b9b6bc6 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4.diff.gz Size/MD5 checksum: 42566 ea23bd132febccb20178a33080a75b2e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_alpha.deb Size/MD5 checksum: 746626 c7e28cd9327bf7c57de8460873acc7ca http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_alpha.deb Size/MD5 checksum: 591014 6e50b6aab7330ab8bf05835476e355cf http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_alpha.deb Size/MD5 checksum: 1550550 519f58912d6fe231127dc3269235494b arm architecture (ARM) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_arm.deb Size/MD5 checksum: 469664 291969d97b32582ad427f2464a5f9f50 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_arm.deb Size/MD5 checksum: 1349424 61b9f52a86711594c7f9e7135e2ad447 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_arm.deb Size/MD5 checksum: 729988 e7751f662ef2a13bc304025995fd1bfa i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_i386.deb Size/MD5 checksum: 1288134 430658383c6c37cfafbddd16a492f407 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_i386.deb Size/MD5 checksum: 463668 37e1e010c4eab318a48b8f1de3c73910 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_i386.deb Size/MD5 checksum: 724530 82241d5d38dc62b0e4d53f41303e8829 http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.p otato.0_i386.deb Size/MD5 checksum: 1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_m68k.deb Size/MD5 checksum: 721394 176c598a45a1ba9bbc459bd8d2b014d2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_m68k.deb Size/MD5 checksum: 1263214 cf1a25df58c5b14101fc56896ed9d51c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_m68k.deb Size/MD5 checksum: 451000 627bd347ab6ca780e6dea2b34f2e3e3d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_powerpc.deb Size/MD5 checksum: 726946 26d2b2b6314750c7f78efd7617ad4f91 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_powerpc.deb Size/MD5 checksum: 1385054 1d02c03f2edc5de1fbcd7e1563227723 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_powerpc.deb Size/MD5 checksum: 503900 cebc7e59bb5e812491b4542e803d4642 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.p otato.4_sparc.deb Size/MD5 checksum: 1342800 18dcc49e3ab9b43c54ff4bf07a73057b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0. potato.4_sparc.deb Size/MD5 checksum: 483834 3811f4b7b3fd20c9cd8f3896106aeede http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.pota to.4_sparc.deb Size/MD5 checksum: 738500 b9eeca8cca46d187f0bb8791af95ad7b Debian 3.0 (woody) - ------------------- woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6 .woody.1.dsc Size/MD5 checksum: 731 6ee81367f6726dd6e793e0a28f2dab2f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.t ar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a. orig.tar.gz Size/MD5 checksum: 1892089 99d22f1d4d23ff8b927f94a9df3997b4 http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.o rig.tar.gz Size/MD5 checksum: 1570392 72544daea16d6c99d656b95f77b01b2d http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a- 6.woody.1.dsc Size/MD5 checksum: 738 8db01015b7c3c6b1fab8a509a8d32362 http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a- 6.woody.1.diff.gz Size/MD5 checksum: 38440 812dd2074b1eb8f2764621d12db77140 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1.dsc Size/MD5 checksum: 739 753ca9446c2f3bc658df80a8668d69a5 http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6 .woody.1.diff.gz Size/MD5 checksum: 44476 fad8a823c2455b4089bf9fdececf1c19 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1.diff.gz Size/MD5 checksum: 42477 92e89d405fb0291efa45d3f260fbd1b4 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_alpha.deb Size/MD5 checksum: 735734 e8ddba4a00d37834de2301a36daf8893 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_alpha.deb Size/MD5 checksum: 570688 104d1b40056d53f6b3164cff39a637c5 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_alpha.deb Size/MD5 checksum: 1550806 e137ab248541f6fdfa311744925197b7 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_hppa.deb Size/MD5 checksum: 564336 c33d5269f29184ddd5f5f37435db3b20 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_hppa.deb Size/MD5 checksum: 1434386 22c4cb54eb0345d5232e00315b1d707b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_hppa.deb Size/MD5 checksum: 741436 51ae4ce9e126f4f1e16388a9e03bd929 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_i386.deb Size/MD5 checksum: 1290394 2ef22ed5e2f75a5afd57bc7f5579b668 http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a- 6.woody.1_i386.deb Size/MD5 checksum: 400108 495f381e41694087d0e02536044b4d1e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_i386.deb Size/MD5 checksum: 461228 4c36f0b42fb7b0fc3a576477f4812378 http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.w oody.1_i386.deb Size/MD5 checksum: 357956 6cc8232971ff8c4e027cbd3b5552af8d http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_i386.deb Size/MD5 checksum: 722756 4f962685c00e0f360008909c34253f32 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_ia64.deb Size/MD5 checksum: 763312 f68f750b3211243654eec890b01c8e7a http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_ia64.deb Size/MD5 checksum: 1615968 e0a890a89e6d44d8a3be8594ea507202 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_ia64.deb Size/MD5 checksum: 710314 47bf40e6683690237b9b307232f9b0dd m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_m68k.deb Size/MD5 checksum: 719876 7b86c3e93997f78a058c8d51148e5542 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_m68k.deb Size/MD5 checksum: 1266008 db905314e8947748d60454b7b7fdc565 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_m68k.deb Size/MD5 checksum: 450170 4dec6cc106d48a1011ba7bec1b2ec61a mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_mips.deb Size/MD5 checksum: 717336 9aa8a5ff7c3cb422f40f8797e0b97b7f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_mips.deb Size/MD5 checksum: 483018 61b96d689c3794af43a881c1d064fd8f http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_mips.deb Size/MD5 checksum: 1415606 321c34c11f7b52d630548a81a84c1f1f mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_mipsel.deb Size/MD5 checksum: 476042 abcbbf8c13cde643076407d539cd483e http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_mipsel.deb Size/MD5 checksum: 716572 8925b769c4ef248a6aa5dc71173115fd http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_mipsel.deb Size/MD5 checksum: 1409496 230cf7fd06f5fe8afaef1bd291777cc6 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_powerpc.deb Size/MD5 checksum: 726188 8835e23596eee551da6f1b0c9036e339 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_powerpc.deb Size/MD5 checksum: 1386308 16b4a447219eb1c284fb8e4f2eef757b http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_powerpc.deb Size/MD5 checksum: 501886 e343898ad82ab2e88f35903274525152 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2. woody.1_sparc.deb Size/MD5 checksum: 484190 242d5e36cbf18033d04a26cfd3cdc861 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.w oody.1_sparc.deb Size/MD5 checksum: 1343610 a578dbc5193884a284e9bf930607036f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.wood y.1_sparc.deb Size/MD5 checksum: 736668 1bcdd2bbce3bff5115c4f3b9774aea30 - ------------------------------------------------------------------------ For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBPYVLOQ0hVr09l8FJAQFWigP6AsnVnYIIPAATxcvqJXtJZNEDtpf1zbGa BBQxnzXLv0gI7UrehF41qFpMXkb948dc4mYWoMSFZE3pxCsSxCmRbn2sNoumnEzm oS5adDQpwOZuNxIUgqVzHGl9LEopkxsUmCkw3GUWrLxAVWsgQTHcB3BBD3WjlewU M0zBYkIAmcQ= =blV8 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org