[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL
From: NetBSD Security-Officer <security-officer@xxxxxxxxxx>
Date: Wed, 21 Apr 2004 14:14:03 -0400

-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2004-005
                 =================================

Topic:          Denial of service vulnerabilities in OpenSSL

Version:        NetBSD-current: source prior to March 22, 2004
                NetBSD 2.0:     branch unaffected, release will include the fix
                NetBSD 1.6.2:   affected
                NetBSD 1.6.1:   affected
                NetBSD 1.6:     affected
                NetBSD 1.5.3:   affected
                NetBSD 1.5.2:   affected
                NetBSD 1.5.1:   affected
                NetBSD 1.5:     affected
                pkgsrc:         security/openssl packages prior to 0.9.6m

Severity:       Possible denial of service, depending on the application

Fixed:          NetBSD-current:         March 22, 2004
                NetBSD-1.6 branch:      April  2, 2004
                                        (1.6.3 will include the fix)
                NetBSD-1.5 branch:      April  7, 2004
                pkgsrc:                 openssl-0.9.6m corrects this issue


Abstract
========

There are two distinct denial of service vulnerabilities addressed by this
advisory:

        1. Null-pointer assignment during SSL handshake

        A carefully crafted SSL/TLS handshake against a server which
        uses the OpenSSL library may result in a crash.  Depending on how
        the application uses the OpenSSL library, this may result in a
        denial of service.


        2. Out-of-bounds read affects Kerberos ciphersuites

        A second flaw in the SSL/TLS handshake could cause a server
        configured to use the Kerberos ciphersuites to crash if a carefully
        crafted sequence of packets is sent by an attacker.



Solutions and Workarounds
=========================

The following instructions describe how to upgrade your libcrypto and libssl
libraries by updating your source tree and rebuilding and
installing a new versions.

* NetBSD-current:

        Systems running NetBSD-current dated from before 2004-03-22
        should be upgraded to NetBSD-current dated 2004-03-23 or later.

        The following directories need to be updated from the
        netbsd-current CVS branch (aka HEAD):
                crypto/dist/openssl

        To update from CVS, re-build, and re-install libcrypto and libssl
                # cd src
                # cvs update -d -P crypto/dist/openssl

                # cd lib/libcrypto
                # make cleandir dependall
                # make install
                # cd ../../lib/libssl
                
                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:

        The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

        Systems running NetBSD 1.6 sources dated from before
        2004-04-02 should be upgraded from NetBSD 1.6 sources dated
        2004-04-03 or later.

        NetBSD 1.6.3 will include the fix.

        The following directories need to be updated from the
        netbsd-1-6 CVS branch:
                crypto/dist/openssl

        To update from CVS, re-build, and re-install libcrypto and libssl

                # cd src
                # cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

                # cd lib/libcrypto
                # make cleandir dependall
                # make install
                # cd ../../lib/libssl

                # make USETOOLS=no cleandir dependall
                # make USETOOLS=no install

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

        The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

        Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
        from before 2004-04-07 should be upgraded from NetBSD 1.5.*
        sources dated 2004-04-08 or later.

        The following directories need to be updated from the
        netbsd-1-5 CVS branch:
                crypto/dist/openssl

        To update from CVS, re-build, and re-install libcrypto and libssl

                # cd src
                # cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

                # cd lib/libcrypto
                # make cleandir dependall
                # make install
                # cd ../../lib/libssl

                # make cleandir dependall
                # make install

Revision History
================

        2004-04-21      Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-005.txt,v 1.3 2004/04/21 17:34:50 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQIax0z5Ru2/4N2IFAQHjFwP7B6JP4OrQsPrCgSYkUxpuw4oQ0n9kOB7J
rEM+aA9/9nrtbc95vuFhjaiahUop91I9oPxNkKjoflaqNyrtGM18U+um5iCv/cJV
0aBih+cyv7hWylcxrTwZ35QuxpFOz253mpCPpKDk4YC8zDjvQDDOoCIz+854WdDe
5MM5tkgTqPU=
=gjxz
-----END PGP SIGNATURE-----

Prev by Date: [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]
Next by Date: Vulnerabilities in long-lived TCP connections on SGI systems
Previous by thread: [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]
Next by thread: Vulnerabilities in long-lived TCP connections on SGI systems
Index(es):
- Date
- Thread