Alerta de Segurança Debian
DSA-136-1 openssl -- múltiplos exploits remotos
- Data do Alerta:
- 30 Jul 2002
- Pacotes Afetados:
- openssl
- Vulnerável:
- Sim
- Referência à base de dados de segurança:
- Na base de dados do BugTraq (na SecurityFocus): ID BugTraq 5362, ID BugTraq 5363, ID BugTraq 5366, ID BugTraq 5353, ID BugTraq 5364, ID BugTraq 5361.
No dicionário CVE do Mitre: CVE-2002-0655, CVE-2002-0656, CVE-2002-0657, CVE-2002-0659.
Alertas, notas de incidentes e vulnerabilidades do CERT: CA-2002-23, CA-2002-27. - Informações adicionais:
-
A equipe de desenvolvimento do OpenSSL anunciou que uma auditoria de segurança feita pela A.L. Digital Ltd e The Bunker, no programa DARPA CHATS, revelou condições de estouro de buffer remotamente, que podem ser exploradas, no código do OpenSSL. Adicionalmente, o analisador ASN1 no OpenSSL tem um ataque DoS potencial descoberto independentemente por Adi Stav e James Yonan.
O CAN-2002-0655 referencia estouros nos buffers usados para armazenar representações ASCII de inteiros em plataformas 64 bit. O CAN-2002-0656 referencia estouros de buffer na implementação do servidor SSL2 (enviando uma chave inválida para o servidor) na implementação do cliente SSL3 (enviando um id de seção grande para o cliente). O problema do SSL2 também foi anunciado por Neohapsis, que demonstrou o código do exploit privadamente. O CAN-2002-0659 referencia a questão do DoS no analisador ASN1.
Essas vulnerabilidades foram corrigidas no Debian 3.0 (woody) nos pacotes openssl094_0.9.4-6.woody.2, openssl095_0.9.5a-6.woody.1 and openssl_0.9.6c-2.woody.1.
Essas vulnerabilidades também estão presentes no Debian 2.2 (potato), mas nenhuma correção está disponível no momento.
Essas vulnerabilidades também estão presentes no Debian 2.2 (potato). Pacotes consertados estão disponíveis no openssl094_0.9.4-6.potato.2 e openssl_0.9.6c-0.potato.4.
Um worm está ativamente explorando essa falha em máquinas conectadas na na internet; nós recomendamos que você atualize o seu OpenSSL assim que possível. Note que você deve reiniciar qualquer daemon rodando o SSL. (Ex., ssh ou apache com ssl habilitado.)
Se você não tem certeza dos programas que usam SSL você deve reiniciar todo o sistema para assegurar que todos os daemons estão rodando com as bibliotecas novas.
- Corrigido em:
-
Debian GNU/Linux 2.2 (potato)
- Fonte:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.dsc
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.potato.2.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4.diff.gz
- Componente independente de arquitetura:
- http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.potato.2_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.4_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.4_sparc.deb
Debian GNU/Linux 3.0 (woody)
- Fonte:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.dsc
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4-6.woody.2.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl094/openssl094_0.9.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.dsc
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a-6.woody.1.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl095/openssl095_0.9.5a.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_alpha.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl094/libssl09_0.9.4-6.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl095/libssl095a_0.9.5a-6.woody.1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_ia64.deb
- Motorola 680x0
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_powerpc.deb
- s390 (IBM S/390):
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.0_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.0_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.1_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.1_sparc.deb
Checksums MD5 dos arquivos listados estão disponíveis no alerta original.
Checksums MD5 dos arquivos listados estão disponíveis no alerta revisado.
Checksums MD5 dos arquivos listados estão disponíveis no alerta revisado.