Security update for OpenSSL

Knowledgebase

(Last modified: 30JUL2002)

solutions Security update for OpenSSL SuSE Linux Maintenance Web (31918591dd49a77edb55b8c0171e862e)

Applies to

Product(s): SuSE Linux Database Server
SuSE Linux Admin-CD for Firewall
SuSE Linux Enterprise Server 7 for IBM zSeries
SuSE eMail Server III
SuSE Linux Enterprise Server 7 for PowerPC

SuSE Linux Enterprise Server 7 for IA32
SuSE Linux Enterprise Server 7 for IA64
SuSE Linux Enterprise Server 7 for S/390 and zSeries
SuSE eMail Server 3.1
SuSE Linux Office Server
SuSE Firewall Adminhost VPN
SuSE Linux Connectivity Server

Package: modssl
Release: 20020730
Obsoletes: none

Indications

This patch should be installed if you are using OpenSSL.

Problem description

Several buffer overflows have been discovered in the OpenSSL library affecting the SSL implementation, as well as a signedness issue in the ASN.1 decoding routines.
In the SSL library, various blobs of data passed from the client to the server or vice versa were being copied to local buffers without checking their size. At least one overflow in the SSLv2 server code can be exploited by an attacker to gain access to the account under which the SSL enabled service is running. The other overflows happen in the SSL client code.
The impact of this bug depends on the service using SSL. When attacking the Apache HTTP server with mod_ssl enabled, the perpetrator could gain access to the account "wwwrun". Attacking other services, such as the OpenLDAP slapd server, could even give the attacker access to the system's root account.
The impact of the signedness bug in the ASN.1 has not yet been fully assessed. Denial of service type attacks are definitely possible, but it is unclear at the time whether these problems could also be exploited to gain entrance to a system. If that was the case, "offline" applications that handle e.g. X.509 certificates through OpenSSL could be affected as well.
As a workaround for web servers, you can do one of the following:

uninstall mod_ssl, if you don't need it
temporarily disable SSLv2, by editing /etc/httpd/httpd.conf and adding the following line to the mod_ssl configuration group: SSLProtocols all -SSLv2

However, this is only a temporary solution as it prevents web browsers implementing SSLv2 only from contacting your site.
Since the SSL client implementation is affected as well, and due to the potential impact of the ASN.1 signedness issues, we recommend that users who do not run SSL enabled services upgrade openssl as well.

Solution

Please install the updates provided at the location noted below.

Installation notes

To upgrade the package, download the update RPM and execute the following command as root:


rpm -Fvh openssl*.rpm

After upgrading the package, you should restart all services using the library, either by rebooting the entire machine or by restarting services and applications individually. When doing the latter, you can use the following command to find out which processes use the libraries:


fuser -v /usr/lib/libssl.so.0.9.* /usr/lib/libcrypto.so.0.9.*

links to download packages

Download Source Packages

Download the source code of the patches for maintained products.

Disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.

Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.