drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Pufferüberläufe in openssl
Name: |
Pufferüberläufe in openssl
|
|
ID: |
=20 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Di, 30. Juli 2002, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
OpenSSL |
|
Originalnachricht |
-------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT --------------------------------------------------------------------
PACKAGE :openssl SUMMARY :denial of service / remote root exploit DATE :2002-07-30 16:15:00
--------------------------------------------------------------------
OVERVIEW
Multiple potentially remotely exploitable vulnerabilities has been found in OpenSSL.
DETAIL
1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time.
2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer.
3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled.
4. Various buffers for ASCII representations of integers were too small on 64 bit platforms.
The full advisory can be read at http://www.openssl.org/news/secadv_20020730.txt
SOLUTION
It is recommended that all Gentoo Linux users update their systems as follows.
emerge --clean rsync emerge openssl emerge clean
After the installation of the updated OpenSSL you should restart the services that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
Also, if you have an application that is statically linked to openssl you will need to reemerge that application to build it against the new OpenSSL.
-------------------------------------------------------------------- Daniel Ahlberg aliz@gentoo.org --------------------------------------------------------------------
_______________________________________________ gentoo-security mailing list gentoo-security@gentoo.org http://lists.gentoo.org/mailman/listinfo/gentoo-security
|
|
|
|