SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link 
Number Two Link Number Two  Link Number One Link Number One Link Number Two Link 
Number Two   
                          Entire Site Advisories Calendar Columnists Elsewhere 
                          Guest Feature Infocus Library Links Mailing Lists 
                          (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- 
                          FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- 
                          FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF 
                          NEWS -- VULN-DEV News Products Services Tools Vulns








             
             




                         BUGTRAQ ARCHIVE 

                        [ Message Index ] [ Thread Index ][ Reply ]
                        [ prev Msg by Date ][ next Msg by Date ]


                              To: BugTraq
                              Subject: Immunix Secured OS 7+ OpenSSL update
                              Date: Sep 30 2003 3:58PM
                              Author: Immunix Security Team <security immunix 
                              com>
                              Message-ID: <20030930155822.GC7993@wirex.com>


-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	openssl
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0543 CAN-2003-0544
Date:			Mon Sep 29 2003
Advisory ID:		IMNX-2003-7+-022-01
Author:			Seth Arnold <sarnold immunix com>
-----------------------------------------------------------------------

Description:
  The UK National Infrastructure Security Co-ordination Centre (NISCC)
  has commissioned an audit of OpenSSL, similar to the audit performed
  on SNMP by Oulu Security Programming Group. Stephen Henson, of the
  OpenSSL core team, has analysed the results and produced a patch to
  address the problems found.

  NISCC's description of the problem: "An unusual ASN.1 tag value can
  cause an out of bounds read under certain circumstances resulting in a
  Denial of Service condition. [...] For example, if one of the parties
  involved in a TLS/SSL connection sends an ASN.1 element that cannot
  be handled properly, the behaviour of the receiving application may be
  unpredictable. It has been found that a vulnerability can arise where
  one of the parties generates an exceptional ASN.1 element as part of
  a client certificate. A Denial of Service may arise in the receiving
  application, or there may be an opportunity for further exploitation."

  Immunix, Inc., would like to thank Stephen Henson for the patches and
  NISCC for preparing the SSL test suite.

  References: http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  
  A source package for Immunix 7+ is available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm

Immunix OS 7+ md5sums:
  f3184ccb1a3298a43b899b5b20ea55d1 RPMS/openssl-0.9.6g-1_imnx_3.i386.rpm
  8d092873585664a9d76083e47d9a695f RPMS/openssl-devel-0.9.6g-1_imnx_3.i386.rpm
  1e01801d4b964beed7ddce666ef58a65 RPMS/openssl-perl-0.9.6g-1_imnx_3.i386.rpm
  d432232a745ee43a413122f988bc7fa6 SRPMS/openssl-0.9.6g-1_imnx_3.src.rpm


GPG verification:                                                               
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security immunix com 
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.


                  [ attachment: (application/pgp-signature) ]





                  Want to link to this message? Use this URL: 
                  <http://www.securityfocus.com/archive/1/339658>
                  Disclaimer, Terms & Conditions


                  About this List


                  Featured Lists:

                  ARIS Users
                  bugtraq
                  bugtraq-es
                  bugtraq-french NEW
                  bugtraq-jp
                  firewalls
                  focus-ids
                  focus-ih
                  focus-linux
                  focus-ms
                  focus-sun
                  focus-unix-other
                  focus-virus
                  forensics
                  forensics-es
                  honeypots
                  incidents
                  libnet
                  pen-test
                  secevents
                  secpapers
                  secprog
                  sectools
                  secureshell
                  security-basics
                  security-management NEW
                  securityjobs
                  vpn
                  vuln-dev
                  webappsec

                  Newsletters:

                  sf-news
                  ms-secnews
                  linux-secnews


                  [ more . . . ]




                        Privacy Statement
                        Copyright © 1999-2003 SecurityFocus