You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2001/08/31 04:08:32 UTC

Fw: [INFO] [CLA-2001:418] Conectiva Linux Security Announcement - openssl

The following provides a very respectible detail of why we can't install Apache 2.0
mod_ssl with anything less than 0.9.6b.  Hope some of you find this interesting
or otherwise useful.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - --------------------------------------------------------------------------
> CONECTIVA LINUX SECURITY ANNOUNCEMENT 
> - --------------------------------------------------------------------------
> 
> PACKAGE   : openssl
> SUMMARY   : Several vulnerabilities in the OpenSSL library
> DATE      : 2001-08-30 16:11:00
> ID        : CLA-2001:418
> RELEVANT
> RELEASES  : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0
> 
> - -------------------------------------------------------------------------
> 
> DESCRIPTION
>  OpenSSL is a library providing several crypto and digital certificate
>  handling functions.
>  Several vulnerabilities have been addressed in newer versions of this
>  library:
>  1. OpenSSL now avoids using environment variables when running as
>  root;
>  2. The result of RSA-CRT is now checked to reduce the possibility of
>  deducing the private key from an incorrectly calculated signature;
>  3. Changes to prevent Bleichenbacher's DSA attack;
>  4. OpenSSL now zeroes the premaster secret after deriving the master
>  secret in DH ciphersuites;
>  5. Fix for a vulnerability in the pseudo random number generator
>  which allowed an attacker to predict the internal state of the PRNG
>  and thus predict future PRNG output.
>  The first four vulnerabilities have been addressed in the 0.9.6a
>  version of the library and affect Conectiva Linux <= 6.0 only, while
>  the last one was fixed with the 0.9.6b release and affects Conectiva
>  Linux 7.0 and earlier.
>  The packages available through this update have been patched to fix
>  all these vulnerabilities. Thanks to the OpenSSL team for releasing
>  the new versions and to Nalin Dahyabhai from Redhat for providing
>  patches for older versions.
> 
> 
> SOLUTION
>  All users should upgrade the OpenSSL library. After the update,
>  programs which use the library, such as apache and openssh, should be
>  restarted.
>  
>  IMPORTANT: updated packages for Conectiva Linux 4.0 and 4.0es are not
>  yet available.
>  
>  
>  REFERENCES
>  1. http://www.securityfocus.com/bid/3004
>  2. http://www.openssl.org
>  3.http://marc.theaimsgroup.com/?l=openssl-announce&m=98655255404174&w=2
> 
> 
> DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
> ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openssl-0.9.5a-2U41_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-devel-0.9.5a-2U41_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-0.9.5a-2U41_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openssl-0.9.5a-2U42_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-devel-0.9.5a-2U42_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-0.9.5a-2U42_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openssl-0.9.5a-2U51_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-0.9.5a-2U51_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-devel-0.9.5a-2U51_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-devel-0.9.6-4U60_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssl-0.9.6a-3U70_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-doc-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-static-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-progs-0.9.6a-3U70_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm
> ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-0.9.5a-2U50_1cl.i386.rpm
> 
> 
> ADDITIONAL INSTRUCTIONS
>  Users of Conectiva Linux version 6.0 or higher may use apt to perform 
>  upgrades of RPM packages:
>  - add the following line to /etc/apt/sources.list if it is not there yet
>    (you may also use linuxconf to do this):
> 
>  rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
> 
> (replace 6.0 with the correct version number if you are not running CL6.0)
> 
>  - run:                 apt-get update
>  - after that, execute: apt-get upgrade
> 
>  Detailed instructions reagarding the use of apt and upgrade examples 
>  can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
> 
> 
> - -------------------------------------------------------------------------
> All packages are signed with Conectiva's GPG key. The key and instructions
> on how to import it can be found at 
> http://distro.conectiva.com.br/seguranca/chave/?idioma=en
> Instructions on how to check the signatures of the RPM packages can be
> found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
> - -------------------------------------------------------------------------
> All our advisories and generic update instructions can be viewed at
> http://distro.conectiva.com.br/atualizacoes/?idioma=en
> 
> - -------------------------------------------------------------------------
> subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
> unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7jo/542jd0JmAcZARAnaSAJ4po9nPSxpqUCJOg6hDYMriFxO58wCg1e/D
> gL56qncwxZrTlKchIhw7MAQ=
> =/aX5
> -----END PGP SIGNATURE-----
> 
>