Red Hat 9062 Published by

Fedora Legacy Update Advisory

Synopsis: Updated openssl packages fix security issues
Advisory ID: FLSA:166939
Issue date: 2005-12-17
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-0079 CVE-2005-0109 CVE-2005-2969
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated OpenSSL packages that fix security issues are now available.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

OpenSSL contained a software work-around for a bug in SSL handling in
Microsoft Internet Explorer version 3.0.2. This work-around is enabled
in most servers that use OpenSSL to provide support for SSL and TLS.
Yutaka Oiwa discovered that this work-around could allow an attacker,
acting as a "man in the middle" to force an SSL connection to use SSL
2.0 rather than a stronger protocol such as SSL 3.0 or TLS 1.0. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-2969 to this issue.

A bug was fixed in the way OpenSSL creates DSA signatures. A cache
timing attack was fixed in a previous advisory which caused OpenSSL to
do private key calculations with a fixed time window. The DSA fix for
this was not complete and the calculations are not always performed within
a fixed-window. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2005-0109 to this issue.

Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a null-pointer assignment in the do_change_cipher_spec()
function. A remote attacker could perform a carefully crafted SSL/TLS
handshake against a server that uses the OpenSSL library in such a way
as to cause OpenSSL to crash. Depending on the server this could lead to
a denial of service. (CVE-2004-0079)

Users are advised to update to these erratum packages which contain
patches to correct these issues.

Note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166939

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

772eb428fce0f9244879936da6de8540c4a0da19
redhat/7.3/updates/i386/openssl095a-0.9.5a-24.7.6.legacy.i386.rpm
2abb561452161340c02522e5b304685bded02acc
redhat/7.3/updates/i386/openssl096-0.9.6-25.11.legacy.i386.rpm
1c00535c2fd6314aba666132c49b62850387fa2e
redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i386.rpm
eb04713acd216bf3e2b46ed11f5627af2937d726
redhat/7.3/updates/i386/openssl-0.9.6b-39.10.legacy.i686.rpm
5339f0df2ca59678b043c356000c80d6a06350e9
redhat/7.3/updates/i386/openssl-devel-0.9.6b-39.10.legacy.i386.rpm
602fb4b040aa26656f60771e56495f894da7a7d1
redhat/7.3/updates/i386/openssl-perl-0.9.6b-39.10.legacy.i386.rpm
94c051599af2faaaf771df548c801d8f046b2d94
redhat/7.3/updates/SRPMS/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
876c535d8b28b2ffa22be646aa7021c57a62046c
redhat/7.3/updates/SRPMS/openssl096-0.9.6-25.11.legacy.src.rpm
046b9d93eee9dcd9b69f89f185ad3065c78fd4ec
redhat/7.3/updates/SRPMS/openssl-0.9.6b-39.10.legacy.src.rpm
a404db788cdcdf1b267dde272dd6db3cf1891ba2
redhat/9/updates/i386/openssl096-0.9.6-25.12.legacy.i386.rpm
11cf0a7546f054b5fcff676a88deb27e45cdb0cd
redhat/9/updates/i386/openssl096b-0.9.6b-15.3.legacy.i386.rpm
62eb39923eb2a98a1749a58a28fce5c425587387
redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i386.rpm
e97a1fb8963711a2c97e298173d30fe64abd7a3f
redhat/9/updates/i386/openssl-0.9.7a-20.6.legacy.i686.rpm
dca80e912b43137b71e966cdc956b50324fd59fc
redhat/9/updates/i386/openssl-devel-0.9.7a-20.6.legacy.i386.rpm
1f34a94f36d3b7fa56b633fc134eac3d99a08f45
redhat/9/updates/i386/openssl-perl-0.9.7a-20.6.legacy.i386.rpm
daa7c0eb8f988a152db550398ec6c3e9ad08418e
redhat/9/updates/SRPMS/openssl096-0.9.6-25.12.legacy.src.rpm
beff357b1eabf4dbd89bd2776d83ad8157e4668b
redhat/9/updates/SRPMS/openssl096b-0.9.6b-15.3.legacy.src.rpm
d010302930f88638255581d7f4d8d245fc5f1f4f
redhat/9/updates/SRPMS/openssl-0.9.7a-20.6.legacy.src.rpm
6e2a5333e1a41cf7c87b0bd704f37ebeefb19011
fedora/1/updates/i386/openssl096-0.9.6-26.3.legacy.i386.rpm
aca4f861c4dde379cec5351f56c7aec4b2e47310
fedora/1/updates/i386/openssl096b-0.9.6b-18.3.legacy.i386.rpm
620c574712782b4e349ed1392d1d674507a146cc
fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i386.rpm
5518b5e24176b056dae1e653a4abb9f2dd227d99
fedora/1/updates/i386/openssl-0.9.7a-33.13.legacy.i686.rpm
5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a
fedora/1/updates/i386/openssl-devel-0.9.7a-33.13.legacy.i386.rpm
1bee0f14e627fde0951377e1bf2f90b190152967
fedora/1/updates/i386/openssl-perl-0.9.7a-33.13.legacy.i386.rpm
0d7079c953bb754c45c5a0231c5b292b814ce3f6
fedora/1/updates/SRPMS/openssl096-0.9.6-26.3.legacy.src.rpm
8350ee0de5d81a3a0a842745997f89f8aae9e37f
fedora/1/updates/SRPMS/openssl096b-0.9.6b-18.3.legacy.src.rpm
b116a8978d0ea6720193ac67c927d1c07eb122c4
fedora/1/updates/SRPMS/openssl-0.9.7a-33.13.legacy.src.rpm
0b4dd57385c42886afbd62bc17c3b10fb3b28d38
fedora/2/updates/i386/openssl096b-0.9.6b-20.3.legacy.i386.rpm
d8773965612fda44388b73296ba8fb9caea9db1f
fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i386.rpm
45c1a884034056c1f3f31f6a61af617a44a31e47
fedora/2/updates/i386/openssl-0.9.7a-35.2.legacy.i686.rpm
24f03de813df1d534d3d847fde68ffd603a2e234
fedora/2/updates/i386/openssl-devel-0.9.7a-35.2.legacy.i386.rpm
a990c20059b07984cc06a1029219b713650b0cfd
fedora/2/updates/i386/openssl-perl-0.9.7a-35.2.legacy.i386.rpm
b39cd980bda3350d69ee5a4da934fb54c956c965
fedora/2/updates/SRPMS/openssl096b-0.9.6b-20.3.legacy.src.rpm
63d5d41cd2be5a010c2ad2c6276f0ddba2948e38
fedora/2/updates/SRPMS/openssl-0.9.7a-35.2.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org