[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2004.007-openssl.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2004 14:21:15 Branch: HEAD Handle: 2004031813211400 Modified files: openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt Log: release OpenPKG Security Advisory 2004.007 (openssl) Summary: RevisionChanges Path 1.5 +10 -0 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt $ cvs diff -u -r1.4 -r1.5 OpenPKG-SA-2004.007-openssl.txt --- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:19:40 - 1.4 +++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:21:14 - 1.5 @@ -1,3 +1,6 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + OpenPKG Security AdvisoryThe OpenPKG Project @@ -121,3 +124,10 @@ for details on how to verify the integrity of this advisory. +-BEGIN PGP SIGNATURE- +Comment: OpenPKG <[EMAIL PROTECTED]> + +iD8DBQFAWaI6gHWT4GPEy58RAno0AJ9tgZtLU1hS1tZ2rlgTfL/DLOuSlQCfZMyY +p260tn2cKSH49rGk8H4aft0= +=ur9l +-END PGP SIGNATURE- @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2004.007-openssl.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2004 14:19:40 Branch: HEAD Handle: 2004031813194000 Modified files: openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt Log: flush pending changes Summary: RevisionChanges Path 1.4 +13 -13 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt $ cvs diff -u -r1.3 -r1.4 OpenPKG-SA-2004.007-openssl.txt --- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:18:38 - 1.3 +++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:19:40 - 1.4 @@ -24,18 +24,18 @@ links lynx lyx mailsync mico mixmaster monit mozilla mutt mutt15 mysqlcc nagios nail neon nessus-libs nessus-tool netdude nmap openldap - openssh openssl openvpn orbit2 perl-ldap perl-net - perl-ssl perl-www pgadmin php php3 php5 pine - postfix postgresql pound proftpd qpopper qt samba - samba3 sasl scribus sendmail siege sio sitecopy - snort socat squid stunnel subversion suck tcpdump + openssh openvpn orbit2 perl-ldap perl-net perl-ssl + perl-www pgadmin php php3 php5 pine postfix + postgresql pound proftpd qpopper qt samba samba3 + sasl scribus sendmail siege sio sitecopy snort + socat squid stunnel subversion suck tcpdump tinyproxy vorbis-tools w3m wget xine-ui OpenPKG 2.0 apache cadaver cpu curl distcache ethereal - fetchmail imap imapd imaputils inn ldapdiff ldapvi - links lynx mailsync mico mozilla mutt nail neon - nessus-libs nessus-tool nmap openldap openssh - openssl perl-ldap perl-net perl-ssl perl-www php + fetchmail imap imapd imaputils inn ldapdiff + ldapvi links lynx mailsync mico mozilla mutt + nail neon nessus-libs nessus-tool nmap openldap + openssh perl-ldap perl-net perl-ssl perl-www php pine postfix postgresql proftpd qpopper qt samba sasl sendmail siege sio sitecopy snort socat squid stunnel subversion suck tcpdump tinyproxy @@ -43,10 +43,10 @@ OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd inn links lynx mico mutt nail neon nmap openldap - openssh openssl perl-ldap perl-net perl-ssl - perl-www php postfix postgresql proftpd qpopper - samba sasl sendmail siege sio sitecopy snort socat - squid stunnel suck tcpdump vorbis-tools w3m wget + openssh perl-ldap perl-net perl-ssl perl-www php + postfix postgresql proftpd qpopper samba sasl + sendmail siege sio sitecopy snort socat squid + stunnel suck tcpdump vorbis-tools w3m wget (*) many packages are only affected if they (or their underlying packages) used certain TLS/SSL related @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2004.007-openssl.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2004 14:18:38 Branch: HEAD Handle: 2004031813183800 Modified files: openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt Log: flush pending changes Summary: RevisionChanges Path 1.3 +10 -10 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2004.007-openssl.txt --- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 12:39:10 - 1.2 +++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 13:18:38 - 1.3 @@ -48,28 +48,28 @@ samba sasl sendmail siege sio sitecopy snort socat squid stunnel suck tcpdump vorbis-tools w3m wget - (*) many packages are only affected if they or their - underlying packages used certain TLS/SSL related + (*) many packages are only affected if they (or their + underlying packages) used certain TLS/SSL related options ("with_xxx") during build time. Above is a worst case list. Packages known to only use libcrypo without libssl are not affected and were already omitted from the list. Description: - According to an OpenSSL [0] security advisory [1], denial of service + According to an OpenSSL [0] security advisory [1], a denial of service vulnerabilities exist in OpenSSL versions 0.9.6c to 0.9.6l inclusive and versions 0.9.7a to 0.9.7c inclusive. Testing performed by the OpenSSL group uncovered a null-pointer assignment in the do_change_cipher_spec() function. The Common Vulnerabilities and Exposures (CVE) project assigned the id - CAN-2004-0079 [3] to the problem. + CAN-2004-0079 [2] to the problem. Stephen Henson discovered a flaw in SSL/TLS handshaking code - when using Kerberos ciphersuites. The OpenPKG makes no use of - this functionality but the patch was included anyway. The Common - Vulnerabilities and Exposures (CVE) project assigned the id - CAN-2004-0112 [2] to the problem. + when using Kerberos ciphersuites. The OpenPKG packages make no + use of this functionality but the patch was included anyway. The + Common Vulnerabilities and Exposures (CVE) project assigned the id + CAN-2004-0112 [3] to the problem. Please check whether you are affected by running "/bin/rpm -q openssl". If you have the "openssl" package installed and its version @@ -101,8 +101,8 @@ References: - [0] http://www.openssl.org/news/secadv_20040317.txt - [1] http://www.openssl.org/ + [0] http://www.openssl.org/ + [1] http://www.openssl.org/news/secadv_20040317.txt [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 [4] http://www.openpkg.org/tutorial.html#regular-source @@ . __ The OpenPKG Projectwww.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]
[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2004.007-openssl.txt
OpenPKG CVS Repository http://cvs.openpkg.org/ Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 18-Mar-2004 13:39:10 Branch: HEAD Handle: 2004031812391000 Modified files: openpkg-web/securityOpenPKG-SA-2004.007-openssl.txt Log: update package list; log kerberos issue; renumber links Summary: RevisionChanges Path 1.2 +58 -46 openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2004.007-openssl.txt --- openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 10:02:38 - 1.1 +++ openpkg-web/security/OpenPKG-SA-2004.007-openssl.txt 18 Mar 2004 12:39:10 - 1.2 @@ -1,6 +1,3 @@ --BEGIN PGP SIGNED MESSAGE-#FIXME, this is a template -Hash: SHA1#FIXME, this is a template - #FIXME, this is a template OpenPKG Security AdvisoryThe OpenPKG Project @@ -18,31 +15,45 @@ OpenPKG 2.0 <= openssl-0.9.7c-2.0.0 >= openssl-0.9.7c-2.0.1 OpenPKG 1.3 <= openssl-0.9.7b-1.3.2 >= openssl-0.9.7b-1.3.3 -Affected Releases: Dependent Packages: +Affected Releases: Dependent Packages: (*) -OpenPKG CURRENT same as OpenPKG 2.0 FIXME this list needs review - -OpenPKG 2.0 apache* bind blender cadaver cfengine cpu cups curl - distcache dsniff easysoap ethereal* exim fetchmail - imap imapd imaputils inn jabberd kde-base kde-libs - linc links lynx mailsync meta-core mico* mixmaster - monit* mozilla mutt mutt15 nail neon nessus-libs - nmap openldap openssh openvpn perl-ssl pgadmin php* - pine* postfix* postgresql pound proftpd* qpopper - rdesktop samba samba3 sasl scanssh sendmail* siege - sio* sitecopy snmp socat squid* stunnel subversion - suck sysmon tcpdump tinyca w3m wget xmlsec - -OpenPKG 1.3 apache* bind cfengine cpu curl ethereal* fetchmail - imap imapd inn links lynx mico* mutt nail neon - openldap openssh perl-ssl php* postfix* postgresql - proftpd* qpopper rdesktop samba sasl scanssh - sendmail* siege sio* sitecopy snmp socat squid* - stunnel suck sysmon tcpdump tinyca w3m wget xmlsec - - (*) marked packages are only affected if certain build - options ("with_xxx") were used at build time. See - Appendix below for details. +OpenPKG CURRENT apache blender cadaver cpu cups curl distcache + dsniff easysoap ethereal ettercap exim fetchmail + firefox gq imap imapd imaputils inn jabberd + kde-base kde-libs ldapdiff ldapvi libnetdude linc + links lynx lyx mailsync mico mixmaster monit + mozilla mutt mutt15 mysqlcc nagios nail neon + nessus-libs nessus-tool netdude nmap openldap + openssh openssl openvpn orbit2 perl-ldap perl-net + perl-ssl perl-www pgadmin php php3 php5 pine + postfix postgresql pound proftpd qpopper qt samba + samba3 sasl scribus sendmail siege sio sitecopy + snort socat squid stunnel subversion suck tcpdump + tinyproxy vorbis-tools w3m wget xine-ui + +OpenPKG 2.0 apache cadaver cpu curl distcache ethereal + fetchmail imap imapd imaputils inn ldapdiff ldapvi + links lynx mailsync mico mozilla mutt nail neon + nessus-libs nessus-tool nmap openldap openssh + openssl perl-ldap perl-net perl-ssl perl-www php + pine postfix postgresql proftpd qpopper qt samba + sasl sendmail siege sio sitecopy snort socat + squid stunnel subversion suck tcpdump tinyproxy + vorbis-tools w3m wget + +OpenPKG 1.3 apache cpu curl ethereal fetchmail imap imapd + inn links lynx mico mutt nail neon n