OpenSSL Bad Version Oracle Side Channel Attack Vulnerability

Solution:
It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.

SGI have released an advisory (20030501-01-I) which contains a fix to address this issue.

SGI have released an advisory (20030501-01-I), which contains fix information to address this issue.

Hewlett-Packard have released an advisory (HPSBUX0304-0255 rev. 2) which contains fix information to address this issue.

Sorcerer Linux has released an advisory. Affected users are advised to issue the following commands to update the system:

augur synch && augur update

Gentoo has released openssl-0.9.6i-r2 which addresses this issue. Users are advised to upgrade by performing the following commands:

emerge sync
emerge openssl
emerge clean

NetBSD has made a source tree fix available, and has addressed this issue in NetBSD advisory 2003-007. See referenced advisory for additional details.

Trustix has released advisory 2003-0013 to address this issue.

Red Hat has released an advisory (RHSA-2003:101-01). Information about obtaining and applying fixes are available in the referenced advisory.

This issue is addressed in MacOS X 10.2.5. This update can be applied via the Software Update pane in System Preferences. Releases prior to 10.2.5 shipped with a vulnerable version of OpenSSL.

Debian has released a security advisory (DSA 288-1) containing fixes which address this and other issues. Further information regarding how to obtain and apply fixes can be found in the attached advisory.

F5 has released a patch which address this issue in their vulnerable products. A patch and further information can be obtained from the following location:

http://tech.f5.com/home/bigip/solutions/security/sol2379.html

GNU Transport Security Layer Library 0.8.5 has been made available which addresses this issue.

Ingrian Networks has reported that some products may be affected by this vulnerability. Users are advised to contact their vendor representitives or visit the http://www.ingrian.com/support/ webpage.

Mirapoint has reported that various products may be affected by this vulnerability. A patch (D3_SSL) is available which addresses this issue and can be obtained by visiting the http://support.mirapoint.com/ webpage.

HP has released SSL updates for OpenVMS systems. Please see the attached HP OpenVMS advisory (SSRT3499, SSRT3518) for details on obtaining and applying fixes. HP has also released an advisory for Tru64 UNIX systems that contains details about obtaining and applying patches. Please see advisory SSRT3499, SSRT3518 (Tru64) for further information.

SCO has released CSSA-2003-SCO.29 to address this and other issues in gwxlibs components for OpenServer. Please see CSSA-2003-SCO.29 for more details on obtaining and applying fixes.

Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.

Fixes available:


Sun Cobalt RaQ 4

Sun Cobalt RaQ 550

Sun Cobalt RaQ XTR

Sun Cobalt Qube 3

GNU Transport Layer Security Library 0.8 .0

GNU Transport Layer Security Library 0.8.1

GNU Transport Layer Security Library 0.8.2

GNU Transport Layer Security Library 0.8.3

GNU Transport Layer Security Library 0.8.4

OpenSSL Project OpenSSL 0.9.6 d

OpenSSL Project OpenSSL 0.9.6 c

OpenSSL Project OpenSSL 0.9.6 e

OpenSSL Project OpenSSL 0.9.6 h

OpenSSL Project OpenSSL 0.9.6 a

OpenSSL Project OpenSSL 0.9.6

OpenSSL Project OpenSSL 0.9.6 b

OpenSSL Project OpenSSL 0.9.6 g

OpenSSL Project OpenSSL 0.9.6 i

OpenSSL Project OpenSSL 0.9.7 a

OpenSSL Project OpenSSL 0.9.7

Apple Mac OS X Server 10.2

Apple Mac OS X 10.2

Apple Mac OS X Server 10.2.1

Apple Mac OS X 10.2.1

Apple Mac OS X 10.2.2

Apple Mac OS X Server 10.2.2

Apple Mac OS X 10.2.3

Apple Mac OS X Server 10.2.3

Apple Mac OS X 10.2.4

Apple Mac OS X Server 10.2.4

SGI IRIX 6.5.19


 

Privacy Statement
Copyright 2010, SecurityFocus