OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2004 13:39:10
Branch: HEAD Handle: 2004031812391000
Modified files:
openpkg-web/security OpenPKG-SA-2004.007-openssl.txt
Log:
update package list; log kerberos issue; renumber links
Summary:
Revision Changes Path
1.2 +58 -46 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.007-openssl.txt
--- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 10:02:38
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 12:39:10
-0000 1.2
@@ -1,6 +1,3 @@
------BEGIN PGP SIGNED MESSAGE----- #FIXME, this is a template
-Hash: SHA1 #FIXME, this is a template
- #FIXME, this is a template
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -18,31 +15,45 @@
OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1
OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3
-Affected Releases: Dependent Packages:
+Affected Releases: Dependent Packages: (*)
-OpenPKG CURRENT same as OpenPKG 2.0 FIXME this list needs review
-
-OpenPKG 2.0 apache* bind blender cadaver cfengine cpu cups curl
- distcache dsniff easysoap ethereal* exim fetchmail
- imap imapd imaputils inn jabberd kde-base kde-libs
- linc links lynx mailsync meta-core mico* mixmaster
- monit* mozilla mutt mutt15 nail neon nessus-libs
- nmap openldap openssh openvpn perl-ssl pgadmin php*
- pine* postfix* postgresql pound proftpd* qpopper
- rdesktop samba samba3 sasl scanssh sendmail* siege
- sio* sitecopy snmp socat squid* stunnel subversion
- suck sysmon tcpdump tinyca w3m wget xmlsec
-
-OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail
- imap imapd inn links lynx mico* mutt nail neon
- openldap openssh perl-ssl php* postfix* postgresql
- proftpd* qpopper rdesktop samba sasl scanssh
- sendmail* siege sio* sitecopy snmp socat squid*
- stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
-
- (*) marked packages are only affected if certain build
- options ("with_xxx") were used at build time. See
- Appendix below for details.
+OpenPKG CURRENT apache blender cadaver cpu cups curl distcache
+ dsniff easysoap ethereal ettercap exim fetchmail
+ firefox gq imap imapd imaputils inn jabberd
+ kde-base kde-libs ldapdiff ldapvi libnetdude linc
+ links lynx lyx mailsync mico mixmaster monit
+ mozilla mutt mutt15 mysqlcc nagios nail neon
+ nessus-libs nessus-tool netdude nmap openldap
+ openssh openssl openvpn orbit2 perl-ldap perl-net
+ perl-ssl perl-www pgadmin php php3 php5 pine
+ postfix postgresql pound proftpd qpopper qt samba
+ samba3 sasl scribus sendmail siege sio sitecopy
+ snort socat squid stunnel subversion suck tcpdump
+ tinyproxy vorbis-tools w3m wget xine-ui
+
+OpenPKG 2.0 apache cadaver cpu curl distcache ethereal
+ fetchmail imap imapd imaputils inn ldapdiff ldapvi
+ links lynx mailsync mico mozilla mutt nail neon
+ nessus-libs nessus-tool nmap openldap openssh
+ openssl perl-ldap perl-net perl-ssl perl-www php
+ pine postfix postgresql proftpd qpopper qt samba
+ sasl sendmail siege sio sitecopy snort socat
+ squid stunnel subversion suck tcpdump tinyproxy
+ vorbis-tools w3m wget
+
+OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd
+ inn links lynx mico mutt nail neon nmap openldap
+ openssh openssl perl-ldap perl-net perl-ssl
+ perl-www php postfix postgresql proftpd qpopper
+ samba sasl sendmail siege sio sitecopy snort socat
+ squid stunnel suck tcpdump vorbis-tools w3m wget
+
+ (*) many packages are only affected if they or their
+ underlying packages used certain TLS/SSL related
+ options ("with_xxx") during build time. Above is
+ a worst case list. Packages known to only use
+ libcrypo without libssl are not affected and were
+ already omitted from the list.
Description:
According to an OpenSSL [0] security advisory [1], denial of service
@@ -52,25 +63,26 @@
Testing performed by the OpenSSL group uncovered a null-pointer
assignment in the do_change_cipher_spec() function. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2004-0079 [X] to the problem.
+ CAN-2004-0079 [3] to the problem.
- FIXME review if this affect OpenPKG
- Stephen Henson discovered a flaw in SSL/TLS handshaking code when
- using Kerberos ciphersuites. The Common Vulnerabilities and Exposures
- (CVE) project assigned the id CAN-2004-0112 [2] to the problem.
+ Stephen Henson discovered a flaw in SSL/TLS handshaking code
+ when using Kerberos ciphersuites. The OpenPKG makes no use of
+ this functionality but the patch was included anyway. The Common
+ Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2004-0112 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/rpm -q
openssl". If you have the "openssl" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and it's dependent packages (see above), if any, too.
- [3][4]
+ [4][5]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
- location, verify its integrity [9], build a corresponding binary RPM
- from it [3] and update your OpenPKG installation by applying the
- binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
+ [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
+ location, verify its integrity [10], build a corresponding binary RPM
+ from it [4] and update your OpenPKG installation by applying the
+ binary RPM [5]. For the most recent release OpenPKG 2.0, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
@@ -85,21 +97,21 @@
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm
Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
+ all dependent packages (see above), if any, too. [4][5]
________________________________________________________________________
References:
[0] http://www.openssl.org/news/secadv_20040317.txt
[1] http://www.openssl.org/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
- [X] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
- [3] http://www.openpkg.org/tutorial.html#regular-source
- [4] http://www.openpkg.org/tutorial.html#regular-binary
- [5] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
- [6] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
- [7] ftp://ftp.openpkg.org/release/1.3/UPD/
- [8] ftp://ftp.openpkg.org/release/2.0/UPD/
- [9] http://www.openpkg.org/security.html#signature
+ [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
+ [4] http://www.openpkg.org/tutorial.html#regular-source
+ [5] http://www.openpkg.org/tutorial.html#regular-binary
+ [6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
+ [7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
+ [8] ftp://ftp.openpkg.org/release/1.3/UPD/
+ [9] ftp://ftp.openpkg.org/release/2.0/UPD/
+ [10] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
