Debians sikkerhedsbulletin
DSA-136-1 openssl -- flere fjernudnyttelser
- Rapporteret den:
- 30. jul 2002
- Berørte pakker:
- openssl
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5362, BugTraq-id 5363, BugTraq-id 5366, BugTraq-id 5353, BugTraq-id 5364, BugTraq-id 5361.
I Mitres CVE-ordbog: CVE-2002-0655, CVE-2002-0656, CVE-2002-0657, CVE-2002-0659.
CERTs noter om sårbarheder, bulletiner og hændelser: CA-2002-23, CA-2002-27. - Yderligere oplysninger:
-
OpenSSL-udviklingsteamet har annonceret at en sikkerhedsgennemgang foretaget af A.L. Digital Ltd og The Bunker, under progammet DARPA CHATS, har afsløret buffer-overløbsbetingelser som kan fjernudnyttes i OpenSSL-koden. Desuden er der mulighed for et potentielt overbelastningsangreb ("DoS") i ASN1-fortolkeren i OpenSSL, det blev uafhængigt opdaget af Adi Stav og James Yonan.
CAN-2002-0655 refererer til overløb i buffere som anvendes til opbevaring ASCII-værdier af heltal på 64-bits platforme. CAN-2002-0656 refererer til bufferoverløb i SSL2-server-implementationen (ved at sende en ugyldig nøgle til serveren) og SSL3-klient-implemtationen (ved at sende en stor sessions-id til klienten). SSL2-problemet blev også bemærket af Neohapsis, som privat har demonstreret kode til udnyttelse af problemet. CAN-2002-0659 refererer til problemet med overbelasningsproblemet ASN1-fortolkeren.
Disse sårbarheder er blevet rettet med hensyn til Debian 3.0 (woody) i openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 og openssl_0.9.6c-2.woody.1.
Sårbarhederne er også til stede i Debian 2.2 (potato). Rettede pakker er tilgængelige som openssl094_0.9.4-6.potato.2 og openssl_0.9.6c-0.potato.4.
En orm udnytter aktivt dette problem på Internet-forbundne værtsmaskiner; vi anbefaler at du opgraderer din OpenSSL så snart som muligt. Bemærk at du skal genstarte alle dæmoner som anvender SSL. (For eksempel ssh eller apache hvor ssl anvendes.) Hvis du er usikker på, hvilke programmer der anvender SSL, kan du vælge at genstarte maskinen for at sikre dig, at alle kørende dæmoner anvender de nye biblioteker.
- Rettet i:
-
Debian GNU/Linux 2.2 (potato)
- Kildekode:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.dsc
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.potato.2_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.dsc
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.dsc
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
- Motorola 680x0
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
- s390 (IBM S/390):
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.
MD5-kontrolsummer for de listede filer findes i den reviderede sikkerhedsbulletin.