OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   18-Mar-2004 13:39:10
  Branch: HEAD                             Handle: 2004031812391000

  Modified files:
    openpkg-web/security    OpenPKG-SA-2004.007-openssl.txt

  Log:
    update package list; log kerberos issue; renumber links

  Summary:
    Revision    Changes     Path
    1.2         +58 -46     openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.007-openssl.txt
  --- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt      18 Mar 2004 10:02:38 
-0000      1.1
  +++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt      18 Mar 2004 12:39:10 
-0000      1.2
  @@ -1,6 +1,3 @@
  ------BEGIN PGP SIGNED MESSAGE-----            #FIXME, this is a template
  -Hash: SHA1                                    #FIXME, this is a template
  -                                              #FIXME, this is a template
   ________________________________________________________________________
   
   OpenPKG Security Advisory                            The OpenPKG Project
  @@ -18,31 +15,45 @@
   OpenPKG 2.0          <= openssl-0.9.7c-2.0.0     >= openssl-0.9.7c-2.0.1
   OpenPKG 1.3          <= openssl-0.9.7b-1.3.2     >= openssl-0.9.7b-1.3.3
   
  -Affected Releases:   Dependent Packages:
  +Affected Releases:   Dependent Packages: (*)
   
  -OpenPKG CURRENT      same as OpenPKG 2.0 FIXME this list needs review
  -
  -OpenPKG 2.0          apache* bind blender cadaver cfengine cpu cups curl
  -                     distcache dsniff easysoap ethereal* exim fetchmail
  -                     imap imapd imaputils inn jabberd kde-base kde-libs
  -                     linc links lynx mailsync meta-core mico* mixmaster
  -                     monit* mozilla mutt mutt15 nail neon nessus-libs
  -                     nmap openldap openssh openvpn perl-ssl pgadmin php*
  -                     pine* postfix* postgresql pound proftpd* qpopper
  -                     rdesktop samba samba3 sasl scanssh sendmail* siege
  -                     sio* sitecopy snmp socat squid* stunnel subversion
  -                     suck sysmon tcpdump tinyca w3m wget xmlsec
  -
  -OpenPKG 1.3          apache* bind cfengine cpu curl ethereal* fetchmail
  -                     imap imapd inn links lynx mico* mutt nail neon
  -                     openldap openssh perl-ssl php* postfix* postgresql
  -                     proftpd* qpopper rdesktop samba sasl scanssh
  -                     sendmail* siege sio* sitecopy snmp socat squid*
  -                     stunnel suck sysmon tcpdump tinyca w3m wget xmlsec
  -
  -                 (*) marked packages are only affected if certain build
  -                     options ("with_xxx") were used at build time. See
  -                     Appendix below for details.
  +OpenPKG CURRENT      apache blender cadaver cpu cups curl distcache
  +                     dsniff easysoap ethereal ettercap exim fetchmail
  +                     firefox gq imap imapd imaputils inn jabberd
  +                     kde-base kde-libs ldapdiff ldapvi libnetdude linc
  +                     links lynx lyx mailsync mico mixmaster monit
  +                     mozilla mutt mutt15 mysqlcc nagios nail neon
  +                     nessus-libs nessus-tool netdude nmap openldap
  +                     openssh openssl openvpn orbit2 perl-ldap perl-net
  +                     perl-ssl perl-www pgadmin php php3 php5 pine
  +                     postfix postgresql pound proftpd qpopper qt samba
  +                     samba3 sasl scribus sendmail siege sio sitecopy
  +                     snort socat squid stunnel subversion suck tcpdump
  +                     tinyproxy vorbis-tools w3m wget xine-ui
  +
  +OpenPKG 2.0          apache cadaver cpu curl distcache ethereal
  +                     fetchmail imap imapd imaputils inn ldapdiff ldapvi
  +                     links lynx mailsync mico mozilla mutt nail neon
  +                     nessus-libs nessus-tool nmap openldap openssh
  +                     openssl perl-ldap perl-net perl-ssl perl-www php
  +                     pine postfix postgresql proftpd qpopper qt samba
  +                     sasl sendmail siege sio sitecopy snort socat
  +                     squid stunnel subversion suck tcpdump tinyproxy
  +                     vorbis-tools w3m wget
  +
  +OpenPKG 1.3          apache cpu curl ethereal fetchmail imap imapd
  +                     inn links lynx mico mutt nail neon nmap openldap
  +                     openssh openssl perl-ldap perl-net perl-ssl
  +                     perl-www php postfix postgresql proftpd qpopper
  +                     samba sasl sendmail siege sio sitecopy snort socat
  +                     squid stunnel suck tcpdump vorbis-tools w3m wget
  +
  +                 (*) many packages are only affected if they or their
  +                     underlying packages used certain TLS/SSL related
  +                     options ("with_xxx") during build time. Above is
  +                     a worst case list. Packages known to only use
  +                     libcrypo without libssl are not affected and were
  +                     already omitted from the list.
   
   Description:
     According to an OpenSSL [0] security advisory [1], denial of service
  @@ -52,25 +63,26 @@
     Testing performed by the OpenSSL group uncovered a null-pointer
     assignment in the do_change_cipher_spec() function. The Common
     Vulnerabilities and Exposures (CVE) project assigned the id
  -  CAN-2004-0079 [X] to the problem.
  +  CAN-2004-0079 [3] to the problem.
   
  -  FIXME review if this affect OpenPKG
  -  Stephen Henson discovered a flaw in SSL/TLS handshaking code when
  -  using Kerberos ciphersuites. The Common Vulnerabilities and Exposures
  -  (CVE) project assigned the id CAN-2004-0112 [2] to the problem.
  +  Stephen Henson discovered a flaw in SSL/TLS handshaking code
  +  when using Kerberos ciphersuites. The OpenPKG makes no use of
  +  this functionality but the patch was included anyway. The Common
  +  Vulnerabilities and Exposures (CVE) project assigned the id
  +  CAN-2004-0112 [2] to the problem.
   
     Please check whether you are affected by running "<prefix>/bin/rpm -q
     openssl". If you have the "openssl" package installed and its version
     is affected (see above), we recommend that you immediately upgrade it
     (see Solution) and it's dependent packages (see above), if any, too.
  -  [3][4]
  +  [4][5]
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  -  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  -  location, verify its integrity [9], build a corresponding binary RPM
  -  from it [3] and update your OpenPKG installation by applying the
  -  binary RPM [4]. For the most recent release OpenPKG 2.0, perform the
  +  [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
  +  location, verify its integrity [10], build a corresponding binary RPM
  +  from it [4] and update your OpenPKG installation by applying the
  +  binary RPM [5]. For the most recent release OpenPKG 2.0, perform the
     following operations to permanently fix the security problem (for
     other releases adjust accordingly).
   
  @@ -85,21 +97,21 @@
     # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/openssl-0.9.7c-2.0.1.*.rpm
   
     Additionally, we recommend that you rebuild and reinstall
  -  all dependent packages (see above), if any, too. [3][4]
  +  all dependent packages (see above), if any, too. [4][5]
   ________________________________________________________________________
   
   References:
     [0] http://www.openssl.org/news/secadv_20040317.txt
     [1] http://www.openssl.org/
     [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
  -  [X] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
  -  [3] http://www.openpkg.org/tutorial.html#regular-source
  -  [4] http://www.openpkg.org/tutorial.html#regular-binary
  -  [5] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
  -  [6] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
  -  [7] ftp://ftp.openpkg.org/release/1.3/UPD/
  -  [8] ftp://ftp.openpkg.org/release/2.0/UPD/
  -  [9] http://www.openpkg.org/security.html#signature
  +  [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
  +  [4] http://www.openpkg.org/tutorial.html#regular-source
  +  [5] http://www.openpkg.org/tutorial.html#regular-binary
  +  [6] ftp://ftp.openpkg.org/release/1.3/UPD/openssl-0.9.7b-1.3.3.src.rpm
  +  [7] ftp://ftp.openpkg.org/release/2.0/UPD/openssl-0.9.7c-2.0.1.src.rpm
  +  [8] ftp://ftp.openpkg.org/release/1.3/UPD/
  +  [9] ftp://ftp.openpkg.org/release/2.0/UPD/
  +  [10] http://www.openpkg.org/security.html#signature
   ________________________________________________________________________
   
   For security reasons, this advisory was digitally signed with the
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to