You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2001/08/31 04:08:32 UTC
Fw: [INFO] [CLA-2001:418] Conectiva Linux Security Announcement - openssl
The following provides a very respectible detail of why we can't install Apache 2.0
mod_ssl with anything less than 0.9.6b. Hope some of you find this interesting
or otherwise useful.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - --------------------------------------------------------------------------
> CONECTIVA LINUX SECURITY ANNOUNCEMENT
> - --------------------------------------------------------------------------
>
> PACKAGE : openssl
> SUMMARY : Several vulnerabilities in the OpenSSL library
> DATE : 2001-08-30 16:11:00
> ID : CLA-2001:418
> RELEVANT
> RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
>
> - -------------------------------------------------------------------------
>
> DESCRIPTION
> OpenSSL is a library providing several crypto and digital certificate
> handling functions.
> Several vulnerabilities have been addressed in newer versions of this
> library:
> 1. OpenSSL now avoids using environment variables when running as
> root;
> 2. The result of RSA-CRT is now checked to reduce the possibility of
> deducing the private key from an incorrectly calculated signature;
> 3. Changes to prevent Bleichenbacher's DSA attack;
> 4. OpenSSL now zeroes the premaster secret after deriving the master
> secret in DH ciphersuites;
> 5. Fix for a vulnerability in the pseudo random number generator
> which allowed an attacker to predict the internal state of the PRNG
> and thus predict future PRNG output.
> The first four vulnerabilities have been addressed in the 0.9.6a
> version of the library and affect Conectiva Linux <= 6.0 only, while
> the last one was fixed with the 0.9.6b release and affects Conectiva
> Linux 7.0 and earlier.
> The packages available through this update have been patched to fix
> all these vulnerabilities. Thanks to the OpenSSL team for releasing
> the new versions and to Nalin Dahyabhai from Redhat for providing
> patches for older versions.
>
>
> SOLUTION
> All users should upgrade the OpenSSL library. After the update,
> programs which use the library, such as apache and openssh, should be
> restarted.
>
> IMPORTANT: updated packages for Conectiva Linux 4.0 and 4.0es are not
> yet available.
>
>
> REFERENCES
> 1. http://www.securityfocus.com/bid/3004
> 2. http://www.openssl.org
> 3.http://marc.theaimsgroup.com/?l=openssl-announce&m=98655255404174&w=2
>
>
> DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
> ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openssl-0.9.5a-2U41_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-devel-0.9.5a-2U41_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-0.9.5a-2U41_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openssl-0.9.5a-2U42_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-devel-0.9.5a-2U42_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-0.9.5a-2U42_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openssl-0.9.5a-2U51_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-0.9.5a-2U51_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-devel-0.9.5a-2U51_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-devel-0.9.6-4U60_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssl-0.9.6a-3U70_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-doc-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-static-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-progs-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
>
>
> ADDITIONAL INSTRUCTIONS
> Users of Conectiva Linux version 6.0 or higher may use apt to perform
> upgrades of RPM packages:
> - add the following line to /etc/apt/sources.list if it is not there yet
> (you may also use linuxconf to do this):
>
> rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
>
> (replace 6.0 with the correct version number if you are not running CL6.0)
>
> - run: apt-get update
> - after that, execute: apt-get upgrade
>
> Detailed instructions reagarding the use of apt and upgrade examples
> can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
>
>
> - -------------------------------------------------------------------------
> All packages are signed with Conectiva's GPG key. The key and instructions
> on how to import it can be found at
> http://distro.conectiva.com.br/seguranca/chave/?idioma=en
> Instructions on how to check the signatures of the RPM packages can be
> found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
> - -------------------------------------------------------------------------
> All our advisories and generic update instructions can be viewed at
> http://distro.conectiva.com.br/atualizacoes/?idioma=en
>
> - -------------------------------------------------------------------------
> subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
> unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7jo/542jd0JmAcZARAnaSAJ4po9nPSxpqUCJOg6hDYMriFxO58wCg1e/D
> gL56qncwxZrTlKchIhw7MAQ=
> =/aX5
> -----END PGP SIGNATURE-----
>
>