Debians sikkerhedsbulletin

DSA-136-1 openssl -- flere fjernudnyttelser

Rapporteret den:
30. jul 2002
Berørte pakker:
openssl
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5362, BugTraq-id 5363, BugTraq-id 5366, BugTraq-id 5353, BugTraq-id 5364, BugTraq-id 5361.
I Mitres CVE-ordbog: CVE-2002-0655, CVE-2002-0656, CVE-2002-0657, CVE-2002-0659.
CERTs noter om sårbarheder, bulletiner og hændelser: CA-2002-23, CA-2002-27.
Yderligere oplysninger:

OpenSSL-udviklingsteamet har annonceret at en sikkerhedsgennemgang foretaget af A.L. Digital Ltd og The Bunker, under progammet DARPA CHATS, har afsløret buffer-overløbsbetingelser som kan fjernudnyttes i OpenSSL-koden. Desuden er der mulighed for et potentielt overbelastningsangreb ("DoS") i ASN1-fortolkeren i OpenSSL, det blev uafhængigt opdaget af Adi Stav og James Yonan.

CAN-2002-0655 refererer til overløb i buffere som anvendes til opbevaring ASCII-værdier af heltal på 64-bits platforme. CAN-2002-0656 refererer til bufferoverløb i SSL2-server-implementationen (ved at sende en ugyldig nøgle til serveren) og SSL3-klient-implemtationen (ved at sende en stor sessions-id til klienten). SSL2-problemet blev også bemærket af Neohapsis, som privat har demonstreret kode til udnyttelse af problemet. CAN-2002-0659 refererer til problemet med overbelasningsproblemet ASN1-fortolkeren.

Disse sårbarheder er blevet rettet med hensyn til Debian 3.0 (woody) i openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 og openssl_0.9.6c-2.woody.1.

Sårbarhederne er også til stede i Debian 2.2 (potato). Rettede pakker er tilgængelige som openssl094_0.9.4-6.potato.2 og openssl_0.9.6c-0.potato.4.

En orm udnytter aktivt dette problem på Internet-forbundne værtsmaskiner; vi anbefaler at du opgraderer din OpenSSL så snart som muligt. Bemærk at du skal genstarte alle dæmoner som anvender SSL. (For eksempel ssh eller apache hvor ssl anvendes.) Hvis du er usikker på, hvilke programmer der anvender SSL, kan du vælge at genstarte maskinen for at sikre dig, at alle kørende dæmoner anvender de nye biblioteker.

Rettet i:

Debian GNU/Linux 2.2 (potato)

Kildekode:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.dsc
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.diff.gz
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.3_all.deb
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_i386.deb
http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.potato.2_i386.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_m68k.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_sparc.deb

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.dsc
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.dsc
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.diff.gz
http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.dsc
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.diff.gz
http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_alpha.deb
HP Precision:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.1_i386.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_ia64.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_powerpc.deb
s390 (IBM S/390):
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.

MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.