• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Vendor Invalid X.509 Certificate Chain Vulnerability

Solution:
For sensitive applications, the certificate chain may be manually inspected whenever a SSL connection is initiated. The presence of an intermediate certificate authority may indicate that an attack is being attempted.

An updated version of the TinySSL library is available. It may be retrieved through anonymous CVS as part of the XWT project:

http://www.xwt.org/download.html

It has been reported that Windows 2000 SP3 resolves this issue for IIS 5.0. This has not been confirmed. It is, however, recommended that administrators install all security fixes as a general practice.

Microsoft has released patches from some products. Patches for other Microsoft products are reported by the vendor to be forthcoming. This issue has been addressed in Microsoft Internet Explorer Macintosh Edition version 5.2.2, which may be downloaded from Microsoft or obtained using Software Update.

Microsoft has released new patches for users who installed Internet Explorer 6 on Windows 2000 systems with Service Pack 4 already installed.

Conectiva has released an advisory, and a set of updated RPMs for KDE packages. Administrators are advised to update all packages to KDE 3.0.3. A comprehensive list of packages affected is available in the referenced Conectiva advisory.

This issue is resolved in KDE and Konqueror 3.0.3. A patch has also been provided for users of KDE and Konqueror 2.2.2.

RedHat has released an advisory, RHSA-2002:220-40, that contains many fixes. Information about obtaining and applying fixes are available in the referenced advisory.

BEA Systems has released advisory BEA03-31.00 and made fixes available to address this issue. Users of affected 6.1 versions should upgrade to Service Pack 5. Users of affected 7.0 and 7.0.0.1 versions should upgrade to Service Pack 2.

The following fixes are available:


Microsoft Windows NT Terminal Server 4.0 SP6

• Microsoft Q328145
  http://www.microsoft.com/ntserver/terminalserver/downloads/critical/q3 28145/default.asp

Microsoft Windows XP Professional

• Microsoft Q328145
  http://www.microsoft.com/Downloads/Release.asp?ReleaseID=42562

Microsoft Windows NT Workstation 4.0 SP6a

• Microsoft Q328145
  http://www.microsoft.com/ntserver/nts/downloads/critical/q328145/defau lt.asp

Microsoft Windows 2000 Advanced Server SP4

• Microsoft Security Update for Microsoft Windows 2000: KB329115
  For user who installed Internet Explorer 6 after installing Windows 2000 SP4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=065DCA01-1F6F -4F88-AE9E-6F4636D43D9F&displaylang=en

KDE Konqueror 2.2.2

• KDE post-2.2.2-kdelibs-kssl.diff
  ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdelibs-kssl.dif f

KDE KDE 2.2.2

• Debian kdelibs3-bin_2.2.2-13.woody.2_alpha.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_alpha.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_arm.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_arm.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_hppa.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_hppa.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_i386.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_i386.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_ia64.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_ia64.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_m68k.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_m68k.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_mips.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_mips.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_mipsel.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_mipsel.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_powerpc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_powerpc.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_s390.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_s390.deb


• Debian kdelibs3-bin_2.2.2-13.woody.2_sparc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2. 2.2-13.woody.2_sparc.deb


• Debian kdelibs3_2.2.2-13.woody.2_alpha.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_alpha.deb


• Debian kdelibs3_2.2.2-13.woody.2_arm.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_arm.deb


• Debian kdelibs3_2.2.2-13.woody.2_hppa.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_hppa.deb


• Debian kdelibs3_2.2.2-13.woody.2_i386.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_i386.deb


• Debian kdelibs3_2.2.2-13.woody.2_ia64.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_ia64.deb


• Debian kdelibs3_2.2.2-13.woody.2_m68k.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_m68k.deb


• Debian kdelibs3_2.2.2-13.woody.2_mips.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_mips.deb


• Debian kdelibs3_2.2.2-13.woody.2_mipsel.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_mipsel.deb


• Debian kdelibs3_2.2.2-13.woody.2_powerpc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_powerpc.deb


• Debian kdelibs3_2.2.2-13.woody.2_s390.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_s390.deb


• Debian kdelibs3_2.2.2-13.woody.2_sparc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2- 13.woody.2_sparc.deb


• Debian libarts_2.2.2-13.woody.2_alpha.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_alpha.deb


• Debian libarts_2.2.2-13.woody.2_arm.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_arm.deb


• Debian libarts_2.2.2-13.woody.2_hppa.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_hppa.deb


• Debian libarts_2.2.2-13.woody.2_i386.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_i386.deb


• Debian libarts_2.2.2-13.woody.2_ia64.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_ia64.deb


• Debian libarts_2.2.2-13.woody.2_m68k.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_m68k.deb


• Debian libarts_2.2.2-13.woody.2_mips.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_mips.deb


• Debian libarts_2.2.2-13.woody.2_mipsel.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_mipsel.deb


• Debian libarts_2.2.2-13.woody.2_powerpc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_powerpc.deb


• Debian libarts_2.2.2-13.woody.2_s390.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_s390.deb


• Debian libarts_2.2.2-13.woody.2_sparc.deb
  http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-1 3.woody.2_sparc.deb


• KDE post-2.2.2-kdelibs-kssl.diff
  ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdelibs-kssl.dif f


• Mandrake arts-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake arts-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-devel-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-devel-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-sound-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake kdelibs-sound-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake libarts2-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake libarts2-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake libarts2-devel-2.2.2-48.1mdk.i586.rpm
  Mandrake Linux 8.2.
  http://www.mandrakesecure.net/en/ftp.php


• Mandrake libarts2-devel-2.2.2-48.1mdk.ppc.rpm
  Mandrake Linux 8.2/ppc.
  http://www.mandrakesecure.net/en/ftp.php

BEA Systems WebLogic Enterprise 5.0.1

• BEA Systems Rolling Patch 59
  http://www.bea.com

BEA Systems WebLogic Express 5.1 SP 8

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 5

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Enterprise 5.1

• BEA Systems Rolling Patch 145
  http://www.bea.com

BEA Systems WebLogic Express for Win32 5.1 SP 2

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 7

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 11

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 12

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express for Win32 5.1 SP 7

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 12

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express for Win32 5.1 SP 12

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 4

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 10

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 2

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 3

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express for Win32 5.1 SP 4

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 13

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express for Win32 5.1 SP 6

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 2

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 11

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 1

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 9

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 5

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Server for Win32 5.1 SP 10

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 6

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems WebLogic Express 5.1 SP 3

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Weblogic Server 5.1 SP 3

• BEA Systems CR090101_src510p.zip
  Requires Service Pack 13
  ftp://ftpna.beasys.com/pub/releases/security/CR090101_src510p.zip

BEA Systems Tuxedo 8.0

• BEA Systems Rolling Patch 166
  http://www.bea.com