-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2004-9
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date : 30 Mar 2004
Last revised : 30 Mar 2004
Package : openssl
Summary : Multiple vulnerabilities in openssl
More information :
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade,
full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
- The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c,
allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake
that causes a null-pointer assignment.
- Certain versions of OpenSSL 0.9.6 allow remote attackers to cause a denial of service (infinite loop),
as demonstrated using the Codenomicon TLS Test Tool.
- The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites,
allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake,
which causes an out-of-bounds read.
Impact :
The vulnerabilities allow an attacker can cause to denial of service of the openssl.
Affected Products :
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
[Turbolinux 10 Desktop]
# zabom -u openssl openssl-compat openssl-devel
[other]
# zabom update openssl openssl-devel
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size : MD5
openssl-0.9.6m-1.src.rpm
2265514 72b075667855cb90a53c325f8eca8e2e
Binary Packages
Size : MD5
openssl-0.9.6m-1.i586.rpm
1369208 bba436fa46e6d003f908151d5fdcd220
openssl-devel-0.9.6m-1.i586.rpm
1156435 9a01f7b30ea969ff1e2e0cb8de624a90
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size : MD5
openssl-0.9.6m-1.src.rpm
2265514 08266734ac965a26dc6083f9b3fb7542
Binary Packages
Size : MD5
openssl-0.9.6m-1.i586.rpm
1367705 cb90be0ae5ea9756e2d1e1ecc7c0d523
openssl-devel-0.9.6m-1.i586.rpm
1157172 ef5019a72ff65524b529de656223b3ad
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-0.9.7d-1.src.rpm
2793953 ab0c244579dcea53fa6f5f48505b0b5a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-compat-0.9.6m-1.src.rpm
2265321 e03a6f6777dd03c36e31710c8febad77
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-0.9.7d-1.i586.rpm
1218800 eb84ac4173b36ce151f803cb60eb8bdd
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-compat-0.9.6m-1.i586.rpm
754120 459d2aab779bcb1f7334806f3da894f6
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-devel-0.9.7d-1.i586.rpm
1479420 644f6d0e2f0999965417ace5e41853ac
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 dc0389b141a2c78c29d32d250ecb4987
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1367693 aacc89cbc22c431b780366c53003189a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1157874 707e421ad1b9f223fa822573bf8eb81a
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 073e830786e49f88acf8439b0a14b717
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1367591 1d99d917b5f01b61030660045c10f35e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1158207 8b6cbae3a04ff320e847336c0a23a24e
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 132dabe2c91ab0227ff56b85340dc98c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1337061 99f13d9b84819eae9025465f77ea6c5a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1140489 301ef33ceefc4922ca59b84b10250dbe
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 4be185ab3a40e0e0982de7cabebaceb0
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1337293 9e51b81ed1a4ac73a43f80c4a78b9a39
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1141285 0a9a7085891aec85f742b2eee1647d29
<Turbolinux Server 6.5>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 fb4550e5daa482a1978464e8a1272b3c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466724 7e303efabc213f57fe6f3eed50f62ef0
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273395 557dfc469d06aea2564a9a14a248ea24
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 9b0c792b110e7d2e43ff83d072ea647d
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466757 9a76ebcb8a5c390fe4880e750bedeeb2
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273434 680429a3bf0235c7958ee7b9f02ebab5
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 0a2f1d263ae5bbaeb18f81551743590d
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466752 c0696ff96729f4218cd588d94033b5c4
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273499 49af08dd7d0b08fd701d61c4f7f11983
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 f83b24f5112c3e66c9122af6199e0ac5
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466745 6f982e6da0d92b23139e111e50143e05
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273391 0dec09ad6bfedccfe0157828d682bb80
Reiferences :
CVE
[
CAN-2004-0079]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2004-0079
[
CAN-2004-0081]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2004-0081
[
CAN-2004-0112]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2004-0112
--------------------------------------------------------------------------
Revision History
30 Mar 2004 Initial release
--------------------------------------------------------------------------
Copyright(C) 2004 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAaSFJK0LzjOqIJMwRAjs0AJ4wzqLwJtb13Trqkx9Ouo8xcPtVVwCgidtb
+2guQ6+MUyfqpkEwHMMapTE=
=weL6
-----END PGP SIGNATURE-----