Bug 74094

Summary: OpenSSL bounds checking problem
Product: [Retired] Red Hat Linux Reporter: Need Real Name <xystrus>
Component: opensslAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: high    
Version: 7.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://online.securityfocus.com/bid/5363
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-09-15 20:30:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2002-09-15 20:30:19 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607

Description of problem:
There exists a buffer overflow bug in all versions of OpenSSL < 0.9.6e which
affects (among other things) Apache server using mod_ssl.  For details, please
see the URL http://online.securityfocus.com/bid/5363 which describes the problem
in more detail than I could...



Version-Release number of selected component (if applicable):
ALL

How reproducible:
Always

Steps to Reproduce:
1. N/A
2.
3.
	

Actual Results:  N/A

Expected Results:  N/A

Additional info:

I realize that a large part of the problem is that the OpenSSL team keeps
breaking binary compatibility without updating the version number (besides a
silly letter at the end), but you guys aren't really doing a very good job of
keeping up with OpenSSL updates, and now we have a serious problem.

Because you have decided to work around the version problem by bumping up the
version number on the shared library, it is now also virtually impossible for
administrators to update OpenSSL on our own without having to recompile a whole
bunch of other programs.  You have created a fictional shared library which is
incompatible with the way the rest of the world manages dependencies upon
OpenSSL, which is and should be still at libcrypto.0, et. al.

This problem manifests itself in other ways, too; i.e. Apache 2.0 depends upon
OpenSSL 0.9.6e or greater, so it's a great deal of work to get it working on Red
Hat, for the same reasons as above.

I understand (at least partially) the difficulties, but I really think you need
to find a better way to work around the versioning issues.  Though actually, if
you have a document somewhere that addresses the problem in detail, especially
if it has a sensible work-around to these problems, I'd certainly like to know
about that.

Thanks!
Comment 1 Mark J. Cox 2002-09-17 09:37:00 UTC 
We fixed the OpenSSL vulnerabilities by backporting the security fixes, see

http://rhn.redhat.com/errata/RHSA-2002-155.html and
http://rhn.redhat.com/errata/RHSA-2002-160.html

> Apache 2.0 depends upon OpenSSL 0.9.6e or greater

This was actually a mistake by the Apache group made in a commit at the last
minute of a release without the consequences being thought through.  The next
Apache 2.0 release simply warns about the OpenSSL version number.