Security update for OpenSSL
Knowledgebase
(Last modified: 30JUL2002)
solutions Security update for OpenSSL SuSE Linux Maintenance Web (31918591dd49a77edb55b8c0171e862e)
SuSE Linux Admin-CD for Firewall
SuSE Linux Enterprise Server 7 for IBM zSeries
SuSE eMail Server III
SuSE Linux Enterprise Server 7 for PowerPC
SuSE Linux Enterprise Server 7 for IA32
SuSE Linux Enterprise Server 7 for IA64
SuSE Linux Enterprise Server 7 for S/390 and zSeries
SuSE eMail Server 3.1
SuSE Linux Office Server
SuSE Firewall Adminhost VPN
SuSE Linux Connectivity Server
Package: modssl
Release: 20020730
Obsoletes: none
In the SSL library, various blobs of data passed from the client to the server or vice versa were being copied to local buffers without checking their size. At least one overflow in the SSLv2 server code can be exploited by an attacker to gain access to the account under which the SSL enabled service is running. The other overflows happen in the SSL client code.
The impact of this bug depends on the service using SSL. When attacking the Apache HTTP server with mod_ssl enabled, the perpetrator could gain access to the account "wwwrun". Attacking other services, such as the OpenLDAP slapd server, could even give the attacker access to the system's root account.
The impact of the signedness bug in the ASN.1 has not yet been fully assessed. Denial of service type attacks are definitely possible, but it is unclear at the time whether these problems could also be exploited to gain entrance to a system. If that was the case, "offline" applications that handle e.g. X.509 certificates through OpenSSL could be affected as well.
As a workaround for web servers, you can do one of the following:
- uninstall mod_ssl, if you don't need it
- temporarily disable SSLv2, by editing /etc/httpd/httpd.conf and adding the following line to the mod_ssl configuration group:
SSLProtocols all -SSLv2
Since the SSL client implementation is affected as well, and due to the potential impact of the ASN.1 signedness issues, we recommend that users who do not run SSL enabled services upgrade openssl as well.
rpm -Fvh openssl*.rpm
After upgrading the package, you should restart all services using the library, either by rebooting the entire machine or by restarting services and applications individually. When doing the latter, you can use the following command to find out which processes use the libraries:
fuser -v /usr/lib/libssl.so.0.9.* /usr/lib/libcrypto.so.0.9.*
Download Source Packages
Download the source code of the patches for maintained products.
Disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.