OpenSSL ASCII Representation Of Integers Buffer Overflow Vulnerability

Solution:
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.

OpenLDAP is reported to use a vulnerable version of OpenSSL. Users are advised to rebuild OpenLDAP with a fixed version of OpenSSL.

Users of HP Secure OS Software for Linux Release 1.0 are advised to install the available Red Hat fixes. HP has also made their own patch available for HP Secure OS Software for Linux.

HP has released a bulletin regarding upgrades and workarounds for additional products affected by this issue. Users of TCP/IP services for OpenVMS V5.3 are advised not to use any keying mechanisms (including tsig and dnssec), which may done by editing the BIND configuration file TCPIP$BIND.CONF. Additional information regarding other products is available in the attached advisory (SSRT2310a). HP has also made fixes available in the form of upgrade packages. The packages, available at http://www.software.hp.com/ISS_products_list.html, are binary versions of Apache 1.3.26.05 and 2.0.39.05 respectively. Additional HP patches are available for Virtualvault and Webproxy (VVOS 11.04), which should be applied after updating Apache.

Oracle suggests that this issue can be mitigated against by disabling SSL support.

Oracle Patch 2492925 is scheduled to address vulnerable versions of iAS. A release schedule for various platforms is available.

Oracle CorporateTime Outlook Connector 3.3.1 and Oracle Outlook Connector 3.4 are scheduled for release on August 16, 2002, and will resolve these issues.

Conectiva has released a new advisory. Updated openssl packages are available that fix the ASN.1 parsing error. Further details are available in Conectiva Security Announcement CLA-2002:516. Users are urged to download and install the newer packages.

IBM has stated that OpenSSL is not included with AIX but is available via the Linux Affinity ToolKit. Fixed versions of OpenSSL are available for download at:

http://www6.software.ibm.com/dl/aixtbx/aixtbx-p

Apple has included a fix in Security Update 2002-08-20 for MacOS X 10.1.5. This fix contains an upgrade from OpenSSL 0.9.6b to 0.9.6e. Further details are available in the referenced Security Information page. Additionally, Apple has released Security Update 2002-08-23 to address Mac OS X 10.2 (Jaguar).

NetBSD has updated its advisory. In it's earlier advisory, NetBSD had incorrect upgrading information for NetBSD 1.5. The advisory has been revised to include updated upgrading instructions for users of NetBSD 1.5. NetBSD 1.5 users are strongly urged to apply the new instructions when upgrading systems.

Sun has stated that the Crypto Accelerator 1000 board is vulnerable to this issue. A patch (112869-02) is available for download.

Sun has a new patch available for download. The patch, 113355-01, is for Crypto Accelerator 1000 1.1 board for Solaris 8 or 9.

Gentoo users may upgrade their systems with the following commands:

emerge --clean rsync
emerge openssl
emerge clean

Juniper Networks has reported that JUNOS Internet software on M- and T-series routers may be prone to this issue. The software running on SDX and SSC products may also be prone to this issue. Users should contact the vendor for further details on affected versions and to obtain any available fixes.

ISC has announced that BIND 9.1.x ships with vulnerable code. Users are advised to upgrade to BIND 9.2.x or relink BIND 9.1.x with a version of OpenSSL that is not vulnerable. BIND 9.2.x is only affected if linked against a vulnerable version of OpenSSL. BIND 9.2 does not link against OpenSSL by default.

Secure Computing has reported that SafeWord PremierAccess 3.1 is prone to this issue. Patch 1 (3.1.0.01) has been released to address this issue. Users should contact the vendor for details on obtaining and applying this patch.

Vendor updates are available:


IBM Linux Affinity Toolkit

Sun Crypto Accelerator 1000

OpenSSL Project OpenSSL 0.9.4

OpenSSL Project OpenSSL 0.9.5 a

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 b

OpenSSL Project OpenSSL 0.9.7 beta2

OpenSSL Project OpenSSL 0.9.7 beta1

HP Webproxy 1.0

HP OpenSSL for OpenVMS Alpha 1.0

HP Secure OS software for Linux 1.0

Apple Mac OS X 10.0

Apple Mac OS X Server 10.0

Apple Mac OS X 10.0.1

Apple Mac OS X 10.0.2

Apple Mac OS X 10.0.4

Apple Mac OS X 10.1

Apple Mac OS X 10.1.1

Apple Mac OS X 10.1.2

Apple Mac OS X 10.1.3

Apple Mac OS X 10.1.4

Apple Mac OS X 10.1.5

Apple Mac OS X 10.2

HP Webproxy 2.0

Novell NetMail 3.10 c

Novell NetMail 3.10 a

Novell NetMail 3.10

Novell NetMail 3.10 b

Novell NetMail 3.10 d

HP VirtualVault 4.5

HP VirtualVault 4.6

HP Tru64 UNIX Compaq Secure Web Server 5.8.1


 

Privacy Statement
Copyright 2010, SecurityFocus