Security update for OpenSSL
Knowledgebase
(Last modified: 12AUG2002)
solutions Security update for OpenSSL SuSE Linux Maintenance Web (6f0b486462d96134d8a8c460945bb76c)
SuSE Linux Admin-CD for Firewall
SuSE Linux Enterprise Server 7 for IBM zSeries
SuSE eMail Server III
SuSE Linux Enterprise Server 7 for PowerPC
SuSE Linux Enterprise Server 7 for IA32
SuSE Linux Enterprise Server 7 for IA64
SuSE Linux Enterprise Server 7 for S/390 and zSeries
SuSE eMail Server 3.1
SuSE Linux Office Server
SuSE Firewall Adminhost VPN
SuSE Linux Connectivity Server
Package: openssl
Release: 20020812
Obsoletes: none
SuSE Security has released a fix for this vulnerability on Tuesday, July 30. This is a re-release of this patch to correct a minor glitch in the official patch from the openssl team. Here follows the unchanged description of the errors corrected at the end of July 2002:
In the SSL library, various blobs of data passed from the client to the server or vice versa were being copied to local buffers without checking their size. At least one overflow in the SSLv2 server code can be exploited by an attacker to gain access to the account under which the SSL enabled service is running. The other overflows happen in the SSL client code.
The impact of this bug depends on the service using SSL. When attacking the Apache HTTP server with mod_ssl enabled, the perpetrator could gain access to the account "wwwrun". Attacking other services, such as the OpenLDAP slapd server, could even give the attacker access to the system's root account.
The impact of the signedness bug in the ASN.1 has not yet been fully assessed. Denial of service type attacks are definitely possible, but it is unclear at the time whether these problems could also be exploited to gain entrance to a system. If that was the case, "offline" applications that handle e.g. X.509 certificates through OpenSSL could be affected as well.
As a workaround for web servers, you can do one of the following:
- uninstall mod_ssl, if you don't need it
- temporarily disable SSLv2, by editing /etc/httpd/httpd.conf and adding the following line to the mod_ssl configuration group:
SSLProtocols all -SSLv2
Since the SSL client implementation is affected as well, and due to the potential impact of the ASN.1 signedness issues, we recommend that users who do not run SSL enabled services upgrade openssl as well.
Acknowledgements: SuSE Linux AG wishes to thank the OpenSSL team for giving advance notice and providing fixes for these issues.
rpm -Fvh openssl*.rpm
After upgrading the package, you should restart all services using the library,
either by rebooting the entire machine or by restarting services and
applications individually. When doing the latter, you can use the following
command to find out which processes use the libraries:
fuser -v /usr/lib/libssl.so.0.9.* /usr/lib/libcrypto.so.0.9.*
Download Source Packages
Download the source code of the patches for maintained products.
Disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.