Login
Newsletter
Werbung
Sicherheit: Pufferüberläufe in openssl
Aktuelle Meldungen Distributionen
Name: Pufferüberläufe in openssl
ID: =20
Distribution: Gentoo
Plattformen: Keine Angabe
Datum: Di, 30. Juli 2002, 13:00
Referenzen: Keine Angabe
Applikationen: OpenSSL

Originalnachricht

 
--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :openssl
SUMMARY        :denial of service / remote root exploit
DATE           :2002-07-30 16:15:00

--------------------------------------------------------------------

OVERVIEW

Multiple potentially remotely exploitable vulnerabilities has been found in
OpenSSL.

DETAIL

1. The client master key in SSL2 could be oversized and overrun a
    buffer. This vulnerability was also independently discovered by
    consultants at Neohapsis (http://www.neohapsis.com/) who have also
    demonstrated that the vulerability is exploitable. Exploit code is
    NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
    overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
    overrun a stack-based buffer. This issues only affects OpenSSL
    0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
    small on 64 bit platforms.

The full advisory can be read at
http://www.openssl.org/news/secadv_20020730.txt

SOLUTION

It is recommended that all Gentoo Linux users update their systems as
follows.

emerge --clean rsync
emerge openssl
emerge clean

After the installation of the updated OpenSSL you should restart the services
that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled
POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.

Also, if you have an application that is statically linked to openssl you will
need to reemerge that application to build it against the new OpenSSL.

--------------------------------------------------------------------
Daniel Ahlberg
aliz@gentoo.org
--------------------------------------------------------------------










_______________________________________________
gentoo-security mailing list
gentoo-security@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-security
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung