Debians sikkerhedsbulletin
DSA-288-1 openssl -- flere sårbarheder
- Rapporteret den:
- 17. apr 2003
- Berørte pakker:
- openssl
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 7101, BugTraq-id 7148.
I Mitres CVE-ordbog: CVE-2003-0147, CVE-2003-0131.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#888801. - Yderligere oplysninger:
-
Man har fundet to fejl i OpenSSL, et Secure Socket Layer (SSL)-bibliotek og relaterede værktøjer til krypografi. Programmer som er lænket mod dette bibliotek, er generelt sårbare overfor angreb, hvilket kan føre til en lækage af en servers private nøgle eller ellers gøre det muligt at dekryptere den krypterede session. Projektet Common Vulnerabilities and Exposures (CVE) har fundet fremt til følgende sårbarheder:
- CAN-2003-0147
- OpenSSL anvender ikke "RSA blinding" som standard, hvilket gør det muligt for lokale og fjerne angribere at få fat i serverens private nøgle.
- CAN-2003-0131
- SSL giver fjernangribere mulighed for at udføre en uautoriseret RSA-privat nøgle-operation, der får OpenSSL til at lække oplysninger om forholdet mellem ciphertext og tilhørende plaintext.
I den stabile distribution (woody) er disse problemer rettet i version 0.9.6c-2.woody.3.
I den gamle stabile distribution (potato) er disse problemer rettt i version 0.9.6c-0.potato.6.
I den ustabile distribution (sid) er disse problemer rettet i version version 0.9.7b-1 af openssl og version 0.9.6j-1 af openssl096.
Vi anbefaler at du omgående opgraderer dine openssl-pakker og genstarter programmer, som anvender OpenSSL.
Desværre er "RSA blinding" ikke thread-safe og vil få programmer, der anvender tråde (threads) og OpenSSL, såsom stunnel, til at gå ned. Men da den foreslåede rettelse vil ændre den binære grænseflade (ABI), vil programmer der er lænket dynamisk mod OpenSSL, ikke køre mere. Dette er et dilemma vi ikke kan løse.
Du er nødt til at beslutte hvorvidt du ønsker sikkerhedsopdateringen, som ikke er "thread-safe" og genoversætte alle programmer, der lader til ikke at fungere efter opgraderingen, eller hente de ekstra kildekodepakker nævnt i slutningen af dette bulletin, genoversætte dem og anvende et "thread-safe" OpenSSL-bibliotek igen, men også genoversætte alle programmer der anvender det (såsom apache-ssl, mod_ssl, ssh osv.).
Da kun meget få pakker anvender tråde og er lænket mod OpenSSL-biblioteket, vil de fleste brugere dog uden problemer kunne anvende pakkerne fra denne opdatering.
- Rettet i:
-
Debian GNU/Linux 2.2 (potato)
- Kildekode:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.6_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_i386.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_m68k.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_powerpc.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.6_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.6_sparc.deb
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3.dsc
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_alpha.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_arm.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_i386.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_ia64.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_hppa.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_m68k.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_mips.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_mipsel.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_powerpc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_s390.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.3_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.3_sparc.deb
- http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.3_sparc.deb
Debian GNU/Linux 2.2 (potato)
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.dsc
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.patch
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-0.potato.7.diff.gz
Debian GNU/Linux 3.0 (woody)
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.dsc
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.diff.gz
- http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.patch
- http://master.debian.org/~joey/NMU/openssl_0.9.6c-2.woody.4.diff.gz
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.