OpenSSL ASN.1 Parsing Error Denial Of Service Vulnerability

Solution:
Users are strongly encouraged to upgrade existing versions of OpenSSL to version 0.9.6e or 0.9.7beta3.

Secure Computing has advised that customers using SafeWord PremierAccess version 3.1 authentication system. Should download and apply PremierAccess Patch 1 as soon as possible.

Patches supplied by Vincent Danen have been reported to omit the ASN.1 fix. Updated patches have been supplied by Ademar de Souza Reis Jr. <ademar@conectiva.com.br>.

OpenLDAP Project uses OpenSSL. Users are advised to rebuild OpenLDAP with updated versions of OpenSSL to address this issue. Users implementing packaged versions of OpenLDAP are advised to contact the package distributor for update information.

Oracle suggests that this issue can be mitigated against by disabling SSL support.

Oracle Patch 2492925 is scheduled to address vulnerable versions of iAS. A release schedule for various platforms is available.

Oracle CorporateTime Outlook Connector 3.3.1 and Oracle Outlook Connector 3.4 are scheduled for release on August 16, 2002, and will resolve these issues.

Users of HP Secure OS Software for Linux Release 1.0 are advised to install the RPMs issued by Red Hat. HP has also made their own patch available for HP Secure OS Software for Linux.

HP has released a bulletin regarding upgrades and workarounds for additional products affected by this issue. Users of TCP/IP services for OpenVMS V5.3 are advised not to use any keying mechanisms (including tsig and dnssec), which may done by editing the BIND configuration file TCPIP$BIND.CONF. Additional information regarding other products is available in the attached advisory (SSRT2310a). HP has also made fixes available in the form of upgrade packages. The packages, available at http://www.software.hp.com/ISS_products_list.html, are binary versions of Apache 1.3.26.05 and 2.0.39.05 respectively. Additional HP patches are available for Virtualvault and Webproxy (VVOS 11.04), which should be applied after updating Apache.

Conectiva has released a new advisory. Updated openssl packages are available that fix the ASN.1 parsing error. Further details are available in Conectiva Security Announcement CLA-2002:516. Users are urged to download and install the newer packages.

IBM has stated that OpenSSL is not included with AIX but is available via the Linux Affinity ToolKit. Fixed versions of OpenSSL are available for download at:

http://www6.software.ibm.com/dl/aixtbx/aixtbx-p

Apple has included a fix in Security Update 2002-08-20 for MacOS X 10.1.5. This fix contains an upgrade from OpenSSL 0.9.6b to 0.9.6e. Further details are available in the referenced Security Information page. Additionally, Apple has released Security Update 2002-08-23 to address Mac OS X 10.2 (Jaguar).

NetBSD has updated it's advisory. In it's earlier advisory, NetBSD had incorrect upgrading information for NetBSD 1.5. The advisory has been revised to include updated upgrading instructions for users of NetBSD 1.5. NetBSD 1.5 users are strongly urged to apply the new instructions when upgrading systems.

Opera has fixed this vulnerability in their browser with version 6.03.

FreeBSD has released upgrades. Users are advised to upgrade their Ports
collection and reinstall the affected port.

Vendor updates are available:


IBM Linux Affinity Toolkit

OpenSSL Project OpenSSL 0.9.4

OpenSSL Project OpenSSL 0.9.5 a

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 b

OpenSSL Project OpenSSL 0.9.7 beta2

OpenSSL Project OpenSSL 0.9.7 beta1

HP Webproxy 1.0

HP OpenSSL for OpenVMS Alpha 1.0

HP Secure OS software for Linux 1.0

Apple Mac OS X 10.0

Apple Mac OS X Server 10.0

Apple Mac OS X 10.0.1

Apple Mac OS X 10.0.2

Apple Mac OS X 10.0.3

Apple Mac OS X 10.0.4

Apple Mac OS X 10.1

Apple Mac OS X 10.1

Apple Mac OS X 10.1.1

Apple Mac OS X 10.1.2

Apple Mac OS X 10.1.3

Apple Mac OS X 10.1.4

Apple Mac OS X 10.1.5

Apple Mac OS X 10.2

HP Webproxy 2.0

Securecomputing SafeWord PremierAccess 3.1

Novell NetMail 3.10 c

Novell NetMail 3.10 a

Novell NetMail 3.10 b

Novell NetMail 3.10

Novell NetMail 3.10 d

HP VirtualVault 4.5

HP VirtualVault 4.6

HP Tru64 UNIX Compaq Secure Web Server 5.8.1

Opera Software Opera Web Browser 6.0.1 win32

Opera Software Opera Web Browser 6.0.2 win32


 

Privacy Statement
Copyright 2010, SecurityFocus