Yellow Dog Linux Security Announcement -------------------------------------- Package: openssl Issue Date: August 10, 2002 Priority: high Advisory ID: YDU-20020810-1 1. Topic: Updated openssl packages are available. 2. Problem: "Updated OpenSSL packages are available for [Yellow Dog Linux 2.2 and 2.3]. These updates fix multiple protocol parsing bugs which may be used in a denial of service (DoS) attack or cause SSL-enabled applications to crash. OpenSSL is a commercial-grade, full-featured, and open source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Portions of the SSL protocol data stream, which include the lengths of structures which are being transferred, may not be properly validated. This may allow a malicious server or client to cause an affected application to crash or enter an infinite loop, which can be used as a denial of service (DoS) attack if the application is a server. It has not been verified if this issue could lead to further consequences such as remote code execution. These errata packages contain a patch to correct this vulnerability. Please note that the original patch from the OpenSSL team had a mistake in it which could possibly still allow buffer overflows to occur. This bug is also fixed in these errata packages." (from Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install openssl b) Updating manually... Download the updates below for your version of Yellow Dog Linux and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] Yellow Dog Linux 2.3 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/openssl-*0.9.6b-28.2.3a.ppc.rpm Yellow Dog Linux 2.2 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.2/ ppc/openssl-*0.9.6b-28.2.2a.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- [Yellow Dog Linux 2.3] cdd3d8183b4555b6252d12ba6d658215 SRPMS/openssl-0.9.6b-28.2.3a.src.rpm d647520d9968c7a023a1ca417a1c92f3 ppc/openssl-0.9.6b-28.2.3a.ppc.rpm 2847ad257b470e91eba27bc3dba2f4e5 ppc/openssl-devel-0.9.6b-28.2.3a.ppc.rpm ae108045dc2dcec6655d891ac279efcd ppc/openssl-perl-0.9.6b-28.2.3a.ppc.rpm [Yellow Dog Linux 2.2] 18488aa0876643af668cbc2a023f2b1b SRPMS/openssl-0.9.6b-28.2.2a.src.rpm c447475cfee9bc1794735a911da6efc9 ppc/openssl-0.9.6b-28.2.2a.ppc.rpm b742657e3db3a382c495d6d469618d8d ppc/openssl-devel-0.9.6b-28.2.2a.ppc.rpm 5933ef7a57c7fc51c8cb429c3b6a791b ppc/openssl-perl-0.9.6b-28.2.2a.ppc.rpm I wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: rpm --checksig --nogpg filename 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml