MDKSA-2003:098
- Package name
- openssl
- Date
- 2003-09-30
- Advisory ID
- MDKSA-2003:098
- Affected versions
- 9.2 amd64 , 9.1 i586 , CS2.1 x86_64 , CS2.1 i586 , 9.2 i586 , 9.0 i586 , 8.2 i586 , MNF8.2 i586 , 9.1 i586
Problem description
Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary; in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CAN-2003-0543 and CAN-2003-0544. Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CAN-2003-0545. The packages provided have been built with patches provided by the OpenSSL group that resolve these issues. A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems.
Updated packages
9.2 amd64
ca0c41a9170a10c229f684be684868f7 amd64/9.2/RPMS/lib64openssl0.9.7-0.9.7b-5.1.92mdk.amd64.rpm 8af5795542a822e90fc77639fa5495da amd64/9.2/RPMS/lib64openssl0.9.7-devel-0.9.7b-5.1.92mdk.amd64.rpm 5b62e9e306b30bab44a03129c0b70583 amd64/9.2/RPMS/lib64openssl0.9.7-static-devel-0.9.7b-5.1.92mdk.amd64.rpm c180a3b579ad35030e6a89fbf5b85bcb amd64/9.2/RPMS/openssl-0.9.7b-5.1.92mdk.amd64.rpm 456833256d010d5df32490ce8b122a37 amd64/9.2/SRPMS/openssl-0.9.7b-5.1.92mdk.src.rpm
9.1 i586
42365cfe8a9214a747bd1fa6329baec8 9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm a3a5046af719b864a337ce432e694a8b 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm 2e879f9d5349458c5653e97f20cf2218 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm cf9bc9fc1cce8841d3cdb1d9fcd8b313 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm b475cc257c14dbaccd9007afa14096f5 9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm
CS2.1 x86_64
eab60b3828aeec0e2717890e51a90e76 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm 19d8a676a11293d8e6acb429bed63a99 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm 5eb3936b8fade73ca1c334d67edad3ae x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm 9df6c6e820719ac33744e1708621bdf3 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm 6982c0adf01f00ea5d49deb24011c278 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
CS2.1 i586
ec80ef980212f5bf294f147e5bc19f76 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
9.2 i586
db717c9a2e8f98905290d341e799c7b2 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm 76ba7c153a75c5dcfeae9f9f16f001e4 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm 7655e50f898e4e4d368cd8e47d38806d 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm 3f846e75cfdbdd9e818376474e1e54c0 9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm 738181704cb49e34d982a5b4224cc66c 9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm
9.0 i586
ec80ef980212f5bf294f147e5bc19f76 9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb 9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm
8.2 i586
e8d13a3adbd679a0c1cd15dd28eb02f1 8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 4b783a98f4cc48be8a6b680a92f374ce 8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm 0481e5edacc8985d7255266fd136ceba 8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm
MNF8.2 i586
e8d13a3adbd679a0c1cd15dd28eb02f1 mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm
9.1 i586
915f8ab4ea91e0d876c9204b1f3699b0 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm fafb4ac4c88c321d3c8fb7fdba54bac4 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm 184be4bdf922fbc28b590a71b7cf8c10 ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm 09e1bd3c05323d10d8002a44dbbc85dd ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm cfbcacc68e2585a5fcbbeb8c9fc3b0d7 ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm
References
- http://www.openssl.org/news/secadv_20030930.txt
- http://www.cert.org/advisories/935264
- http://www.cert.org/advisories/380864
- http://www.cert.org/advisories/255484
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
- http://www.uniras.gov.uk/vuls/2003/006489/tls.htm
- http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm