Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » EnGarde Secure Linux Security Advisory: openssl vulnerabilities

EnGarde Secure Linux Security Advisory: openssl vulnerabilities

by platon on May 3rd, 2001 "There are four potential vulnerabilities
in the version of openssl which shipped
with EnGarde Secure Linux version 1.0.1."






Date: Wed, 2 May 2001 09:38:12 -0400 (EDT)

From: EnGarde Secure Linux
Subject: [ESA-20010426-01] openssl vulnerabilities


----------------------------------------------------------------

EnGarde Secure Linux Security Advisory May 02, 2001
"http://www.engardelinux.org/"> http://www.engardelinux.org ESA-20010426-01

Package:openssl


Summary: There are four potential vulnerabilities in openssl.

----------------------------------------------------------------



EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools.





OVERVIEW




----------------------------------------------------------------

There are four potential vulnerabilities in the version of openssl which shipped with EnGarde Secure Linux version 1.0.1.




DETAIL




----------------------------------------------------------------

There were four security fixes introduced into openssl 0.9.6a. However, this release also broke binary compatibility with older versions of openssl. Thanks to Nalin Dahyabhai, these changes have been backported into openssl 0.9.6. This alleviates having to release updated packages for all of the programs that depend on openssl, such as openssh.
The security-related changes are (from the 0.9.6a announcement):

Security fix: change behavior of OpenSSL to avoid using environment variables when running as root.
Security fix: check the result of RSA-CRT to reduce the possibility of deducing the private key from an incorrectly calculated signature.
Security fix: prevent Bleichenbacher's DSA attack.
Security fix: Zero the premaster secret after deriving the master secret in DH ciphersuites.




SOLUTION



----------------------------------------------------------------
All users running 'openssl' should upgrade to the most recent version, as outlined in this advisory. All updates can be found at:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates

http://ftp.engardelinux.org/pub/engarde/stable/updates



To install the updated package, execute the command:


rpm -Uvh

To verify the signature of the updated packages, execute the command:

rpm -Kv




UPDATED PACKAGES



----------------------------------------------------------------

Source Packages:



SRPMS/openssl-0.9.6-1.0.13.src.rpm


MD5 Sum: 6e8134b6635a77bc6a9101438b50427a





i386 Binary Packages:


i386/openssl-0.9.6-1.0.13.i386.rpm

MD5 Sum: 2a0f944722c27fd34d8549dae25b611d


i386/openssl-misc-0.9.6-1.0.13.i386.rpm

MD5 Sum: 59cb6c0fed182b2b5eb3789b2fffdae7






i686 Binary Packages:

i686/openssl-0.9.6-1.0.13.i686.rpm

MD5 Sum: 7bdedd1a057f547cc59a56b35801c277


i686/openssl-misc-0.9.6-1.0.13.i686.rpm

MD5 Sum: 82aa05b124b35809f27d48f81418e3e0





REFERENCES



----------------------------------------------------------------

Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY




OpenSSL's official web site:

http://www.openssl.org


OpenSSL 0.9.6a announcement:

http://marc.theaimsgroup.com/?|=opensslannounce&m
=9865525540417&w=2




----------------------------------------------------------------






Credit for this vulnerability goes to Ryan W. Maple.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »