OpenSSL implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols and includes a
general purpose cryptographic library. SSL and TLS are
commonly used to provide authentication, encryption,
integrity, and non-repudiation services to network
applications including HTTP, IMAP, POP3, SMTP, and LDAP.
The U.K. National Infrastructure Security Co-ordination
Centre (NISCC) and the OpenSSL Project have reported several
vulnerabilities in the OpenSSL SSL/TLS library (libssl).
Any application or system that uses this library may be
affected.
CERT Vulnerability Note VU#288574
OpenSSL contains null-pointer assignment in do_change_cipher_spec()
function
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0079 to this issue.
CERT Vulnerability Note VU#465542
OpenSSL does not properly handle unknown message types
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0081 to this issue.
CERT Vulnerability Note VU#484726
OpenSSL does not adequately validate length of Kerberos ticket
during SSL/TLS handshake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0112 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 Not vulnerable
UnixWare 7.1.3 Distribution
UnixWare 7.1.1 Distribution
3. Solution
The proper solution is to install the latest packages.
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download openssld.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/openssld.pkg
6. References
Specific references for this advisory:
http://www.us-cert.gov/cas/techalerts/TA04-078A.html
http://www.kb.cert.org/vuls/id/288574
http://www.kb.cert.org/vuls/id/484726
http://www.kb.cert.org/vuls/id/465542
http://www.openssl.org/news/secadv_20040317.txt
http://www.uniras.gov.uk/vuls/2004/224012/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr890283 fz529411
erg712602.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank The U.K. National Infrastructure
Security Co-ordination Centre (NISCC) and the OpenSSL team.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
______
SCO Security Advisory
Subject: UnixWare 7.1.3 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities
Advisory number: SCOSA-2005.7
Issue date: 2005 January 20
Cross reference: sr890283 fz529411 erg712602 CAN-2004-0079 CAN-2004-0081 CAN-2004-0112
________________________________________________________________________
______
1. Problem Description
OpenSSL implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols and includes a
general purpose cryptographic library. SSL and TLS are
commonly used to provide authentication, encryption,
integrity, and non-repudiation services to network
applications including HTTP, IMAP, POP3, SMTP, and LDAP.
The U.K. National Infrastructure Security Co-ordination
Centre (NISCC) and the OpenSSL Project have reported several
vulnerabilities in the OpenSSL SSL/TLS library (libssl).
Any application or system that uses this library may be
affected.
CERT Vulnerability Note VU#288574
OpenSSL contains null-pointer assignment in do_change_cipher_spec()
function
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0079 to this issue.
CERT Vulnerability Note VU#465542
OpenSSL does not properly handle unknown message types
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0081 to this issue.
CERT Vulnerability Note VU#484726
OpenSSL does not adequately validate length of Kerberos ticket
during SSL/TLS handshake.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0112 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 Not vulnerable
UnixWare 7.1.3 Distribution
UnixWare 7.1.1 Distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7
4.2 Verification
MD5 (openssl.pkg) = d2ba4c1dee05dad681b39bfea4d4d7f9
MD5 (openssld.pkg) = 6a737b8d0265e8194f55f39518380bae
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download openssl.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/openssl.pkg
5. UnixWare 7.1.1
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7
The fixes are also available in SCO UnixWare Release 7.1.1
Maintenance Pack 5 or later. See
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt
5.2 Verification
MD5 (openssl.pkg) = d2ba4c1dee05dad681b39bfea4d4d7f9
MD5 (openssld.pkg) = 6a737b8d0265e8194f55f39518380bae
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download openssld.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/openssld.pkg
6. References
Specific references for this advisory:
http://www.us-cert.gov/cas/techalerts/TA04-078A.html
http://www.kb.cert.org/vuls/id/288574
http://www.kb.cert.org/vuls/id/484726
http://www.kb.cert.org/vuls/id/465542
http://www.openssl.org/news/secadv_20040317.txt
http://www.uniras.gov.uk/vuls/2004/224012/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents sr890283 fz529411
erg712602.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
8. Acknowledgments
SCO would like to thank The U.K. National Infrastructure
Security Co-ordination Centre (NISCC) and the OpenSSL team.
________________________________________________________________________
______
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (SCO/UNIX_SVR5)
iD8DBQFB8E4YaqoBO7ipriERAiQxAKChI85vzJI+OSVxR3MCd+pwjISclACbBbNu
o5meMgN1rcRaBZ7jb7K6sXA=
=11K1
-----END PGP SIGNATURE-----
[ reply ]