I have looked high/low for a fix to this vulnerability (UNIX), but with no luck. FYI, I have installed the latest version of openssl (openssl-0.9.7d-sol8-sparc-local.gz) in hopes that that it would cure the problem. However, I am wondering (based on the vulnerability details if I should install and older version). Can you please advise?
Thank you, Ginnie Spock JOCAS DBA/System Administrator SCTOA-Eglin AFB / TYBRIN Corp * <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] * DSN: 872.8131 * Commercial: 850.882.8131 beginVulnerability Details: H OpensslSsl2MasterkeyBo: OpenSSL SSL2 master key buffer overflow OpenSSL is an open-source implementation of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols that is included with many Linux distributions. OpenSSL versions 0.9.6d and earlier, 0.9.7-beta2 and earlier, and the current development snapshots of 0.9.7 are vulnerable to a buffer overflow, caused by improper handling of SSL2 client master keys. By sending an overly long SSL2 client master key, a remote attacker could overflow a buffer and execute arbitrary code with elevated privileges or cause the system to crash. Remedy: For vulnerability detection: Enable the following checks in the Dynamic Threat Protection platform: OpensslSsl2MasterkeyBo openssl-ssl2-masterkey-bo For Virtual Patch (see http://xforce.iss.net/xforce/riskindex/#vp): Enable the following checks in the Dynamic Threat Protection platform: SSL2_Master_Key_Overflow For Manual Protection: Upgrade to the latest version of OpenSSL (0.9.6e or later), available from the OpenSSL Project Web site. See References. --OR-- Apply the patch for this vulnerability, available from the OpenSSL Project Web site. See References. For OpenPKG 1.0: Upgrade to the latest OpenSSL package (0.9.6b-1.0.1 or later) or (0.9.6e or later), as listed in OpenPKG Security Advisory OpenPKG-SA-2002.008. See References. For Debian GNU/Linux 3.0: Upgrade to the latest OpenSSL packages (0.9.4-6 or later), (0.9.5a-6 or later), and (0.9.6c-2 or later), as listed in Debian Security Advisory DSA-136-1. See References. For EnGarde Secure Linux Community Edition: Upgrade to the latest OpenSSL package (0.9.6-1.0.16 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20020730-019. See References. For Trustix Secure Linux: Upgrade to the latest OpenSSL package, as listed below. Refer to Trustix Secure Linux Security Advisory #2002-0063 for more information. See References. Trustix 1.1 and 1.2: openssl-0.9.6-3tr or later Trustix 1.5: openssl-0.9.6-10tr For Red Hat Linux: Upgrade to the latest OpenSSL package, as listed below. Refer to Red Hat Security Advisory RHSA-2002:155-11 for more information. See References. Red Hat 6.2: openssl-0.9.5a-26 or later Red Hat 7.0 and 7.1: openssl-0.9.6-10 or later Red Hat 7.2 and 7.3: openssl096-0.9.6-9 or later For SuSE Linux: Upgrade to the latest OpenSSL package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2002:027 for more information. See References. SuSE Linux 8.0 (Intel): 0.9.6c-78 or later SuSE Linux 7.3 (Intel): 0.9.6b-147 or later SuSE Linux 7.1 and 7.2 (Intel): 0.9.6a-63 or later SuSE Linux 7.0 (Intel): 0.9.5a-59 or later SuSE Linux 7.3 (Sparc): 0.9.6b-136 or later SuSE Linux 7.1 (Sparc): 0.9.6a-23 or later SuSE Linux 7.0 (Sparc): 0.9.5a-8 or later For Mandrake Linux: Upgrade to the latest OpenSSL package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:046 : openssl for more information. See References. Linux Mandrake 7.1, Corporate Server 1.0.1: 0.9.5a-4.1mdk or later Linux Mandrake 7.2 and Single Network Firewall 7.2: 0.9.5a-9.1mdk or later Mandrake Linux 8.0: 0.9.6-8.1mdk or later Mandrake Linux 8.1: 0.9.6b-1.1mdk or later Mandrake Linux 8.2: 0.9.6c-2.1mdk or later For Caldera OpenLinux 3.1 and 3.1.1 Workstation and Server: Upgrade to the latest OpenSSL packages (0.9.6-19 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-033.1. See References. For FreeBSD: Apply the patch for this vulnerability, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-02:33.openssl. See References. For Compaq/Hewlett-Packard: Apply SoftPaq SP21932 for this vulnerability, as listed in the Hewlett-Packard Software and Drivers Web page. See References. For other distributions: Contact your vendor for upgrade or patch information. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
