rhsa-2002_155
Vulnerability from csaf_redhat
Published
2002-07-30 10:47
Modified
2024-11-05 16:12
Summary
Red Hat Security Advisory: : Updated openssl packages fix remote vulnerabilities
Notes
Topic
Updated OpenSSL packages are available which fix several serious buffer
overflow vulnerabilities.
Details
OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which
implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library. A security audit of the OpenSSL code sponsored by
DARPA found several buffer overflows in OpenSSL which affect versions 0.9.7
and 0.9.6d and earlier:
1. The master key supplied by a client to an SSL version 2 server could be
oversized, causing a stack-based buffer overflow. This issue is remotely
exploitable. Services that have SSLv2 disabled would not be vulnerable to
this issue. (CAN-2002-0656)
2. The SSLv3 session ID supplied to a client from a malicious server could
be oversized and overrun a buffer. This issue looks to be remotely
exploitable. (CAN-2002-0656)
3. Various buffers used for storing ASCII representations of integers were
too small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)
A further issue was found in OpenSSL 0.9.7 that does not affect versions of
OpenSSL shipped with Red Hat Linux (CAN-2002-0657).
A large number of applications within Red Hat Linux make use the OpenSSL
library to provide SSL support. All users are therefore advised to upgrade
to the errata OpenSSL packages, which contain patches to correct these
vulnerabilities.
NOTE:
Please read the Solution section below as it contains instructions for
making sure that all SSL-enabled processes are restarted after the update
is applied.
Thanks go to the OpenSSL team and Ben Laurie for providing patches for
these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated OpenSSL packages are available which fix several serious buffer\noverflow vulnerabilities.", "title": "Topic" }, { "category": "general", "text": "OpenSSL is a commercial-grade, full-featured, and Open Source toolkit which\nimplements the Secure Sockets Layer (SSL v2/v3) and Transport Layer\nSecurity (TLS v1) protocols as well as a full-strength general purpose\ncryptography library. A security audit of the OpenSSL code sponsored by\nDARPA found several buffer overflows in OpenSSL which affect versions 0.9.7\nand 0.9.6d and earlier:\n\n1. The master key supplied by a client to an SSL version 2 server could be\noversized, causing a stack-based buffer overflow. This issue is remotely\nexploitable. Services that have SSLv2 disabled would not be vulnerable to\nthis issue. (CAN-2002-0656)\n\n2. The SSLv3 session ID supplied to a client from a malicious server could\nbe oversized and overrun a buffer. This issue looks to be remotely\nexploitable. (CAN-2002-0656)\n\n3. Various buffers used for storing ASCII representations of integers were\ntoo small on 64 bit platforms. This issue may be exploitable. (CAN-2002-0655)\n\nA further issue was found in OpenSSL 0.9.7 that does not affect versions of\nOpenSSL shipped with Red Hat Linux (CAN-2002-0657).\n\nA large number of applications within Red Hat Linux make use the OpenSSL\nlibrary to provide SSL support. All users are therefore advised to upgrade\nto the errata OpenSSL packages, which contain patches to correct these\nvulnerabilities.\n\nNOTE: \n\nPlease read the Solution section below as it contains instructions for\nmaking sure that all SSL-enabled processes are restarted after the update\nis applied.\n\nThanks go to the OpenSSL team and Ben Laurie for providing patches for\nthese issues.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2002:155", "url": "https://access.redhat.com/errata/RHSA-2002:155" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2002/rhsa-2002_155.json" } ], "title": "Red Hat Security Advisory: : Updated openssl packages fix remote vulnerabilities", "tracking": { "current_release_date": "2024-11-05T16:12:32+00:00", "generator": { "date": "2024-11-05T16:12:32+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2002:155", "initial_release_date": "2002-07-30T10:47:00+00:00", "revision_history": [ { "date": "2002-07-30T10:47:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2002-07-25T00:00:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T16:12:32+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Linux 6.2", "product": { "name": "Red Hat Linux 6.2", "product_id": "Red Hat Linux 6.2", "product_identification_helper": { "cpe": "cpe:/o:redhat:linux:6.2" } } }, { "category": "product_name", "name": "Red Hat Linux 7.0", "product": { "name": "Red Hat Linux 7.0", "product_id": "Red Hat Linux 7.0", "product_identification_helper": { "cpe": "cpe:/o:redhat:linux:7.0" } } }, { "category": "product_name", "name": "Red Hat Linux 7.1", "product": { "name": "Red Hat Linux 7.1", "product_id": "Red Hat Linux 7.1", "product_identification_helper": { "cpe": "cpe:/o:redhat:linux:7.1" } } }, { "category": "product_name", "name": "Red Hat Linux 7.2", "product": { "name": "Red Hat Linux 7.2", "product_id": "Red Hat Linux 7.2", "product_identification_helper": { "cpe": "cpe:/o:redhat:linux:7.2" } } }, { "category": "product_name", "name": "Red Hat Linux 7.3", "product": { "name": "Red Hat Linux 7.3", "product_id": "Red Hat Linux 7.3", "product_identification_helper": { "cpe": "cpe:/o:redhat:linux:7.3" } } } ], "category": "product_family", "name": "Red Hat Linux" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2002-0655", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1616787" } ], "notes": [ { "category": "description", "text": "OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and possibly execute arbitrary code.", "title": "Vulnerability description" }, { "category": "summary", "text": "security flaw", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "Red Hat Linux 6.2", "Red Hat Linux 7.0", "Red Hat Linux 7.1", "Red Hat Linux 7.2", "Red Hat Linux 7.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2002-0655" }, { "category": "external", "summary": "RHBZ#1616787", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616787" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0655", "url": "https://www.cve.org/CVERecord?id=CVE-2002-0655" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655", "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0655" } ], "release_date": "2002-07-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2002-07-30T10:47:00+00:00", "details": "IMPORTANT:\n\nBecause both client and server applications are affected by these\nvulnerabilities, we advise users to reboot their systems after installing\nthese updates.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.", "product_ids": [ "Red Hat Linux 6.2", "Red Hat Linux 7.0", "Red Hat Linux 7.1", "Red Hat Linux 7.2", "Red Hat Linux 7.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2002:155" } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "security flaw" }, { "cve": "CVE-2002-0656", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1616788" } ], "notes": [ { "category": "description", "text": "Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SSL3.", "title": "Vulnerability description" }, { "category": "summary", "text": "security flaw", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "Red Hat Linux 6.2", "Red Hat Linux 7.0", "Red Hat Linux 7.1", "Red Hat Linux 7.2", "Red Hat Linux 7.3" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2002-0656" }, { "category": "external", "summary": "RHBZ#1616788", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616788" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2002-0656", "url": "https://www.cve.org/CVERecord?id=CVE-2002-0656" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656", "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-0656" } ], "release_date": "2002-07-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2002-07-30T10:47:00+00:00", "details": "IMPORTANT:\n\nBecause both client and server applications are affected by these\nvulnerabilities, we advise users to reboot their systems after installing\nthese updates.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.", "product_ids": [ "Red Hat Linux 6.2", "Red Hat Linux 7.0", "Red Hat Linux 7.1", "Red Hat Linux 7.2", "Red Hat Linux 7.3" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2002:155" } ], "threats": [ { "category": "impact", "details": "Critical" } ], "title": "security flaw" } ] }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.