Red Hat Bugzilla – Bug 152689
openssl vulnerabilties to remote DoS attack
Last modified: 2007-04-18 13:22:20 EDT
OpenSSL remote denial of service vulnerabilities as described in CAN-2004-0081 and CAN-2003-0851 (cf. Red Hat alert RHSA-2004:119-01 for details) affect openssl packages as provided by Red Hat 7.x and 8.0 distributions. At least for RH 7.3 packages binaries recompiled from these "enterprise" sources fit and are patched. ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/openssl-0.9.6b-36.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/openssl095a-0.9.5a-24.src.rpm ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/openssl096-0.9.6-25.7.src.rpm Actually patches are really the same across various versions of openssl. I am running right now few RH7.3 installations with binaries recompiled from the sources above. If they do not work then you cannot read that. :-) ------- Additional Comments From jkeating@j2solutions.net 2004-03-18 18:34:56 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've built 7.x and 8.0 rpms of openssl, using the patches found inside the RHEL2.1 errata packages. Please QA them. http://geek.j2solutions.net/rpms/legacy/openssl/ cf6cd7a8637d0707e4d4b8b8562e161a5840b80a 7.x/openssl-0.9.6b-36.7.legacy.i386.rpm b099e1baa30422076be51970c16e582a5a454973 7.x/openssl-0.9.6b-36.7.legacy.i686.rpm b734c6290fee8fbd24a345945d0d78f3915baac2 7.x/openssl-devel-0.9.6b-36.7.legacy.i386.rpm 55525c0017d5f7d4809056a325471d967b064e8d 7.x/openssl-perl-0.9.6b-36.7.legacy.i386.rpm e90e044eea5a40bb478e141184e63d1856c49551 7.x/openssl095a-0.9.5a-24.7.3.legacy.i386.rpm c88d372d048aac024d13a1c04fe6e558e3058d57 7.x/openssl095a-0.9.5a-24.7.3.legacy.src.rpm ede50288945876f4292aa9d9e261e4b407409f40 7.x/openssl096-0.9.6-25.7.legacy.i386.rpm 7caa11572cd927e9dfb430802b161bdc202a4549 7.x/openssl096-0.9.6-25.7.legacy.src.rpm ac4b90e37ca4bd6be15f834184437de443023ca0 7.x/sha1sums 0775bf129233ddb8e1914723b6e2d07abee62486 8.0/openssl-0.9.6b-36.8.legacy.i386.rpm 2602438132f4050d372c125fa509ca299d40d248 8.0/openssl-0.9.6b-36.8.legacy.i686.rpm f6a98ecf439a09b001ffef0ef418ba3241944ef4 8.0/openssl-0.9.6b-36.8.legacy.src.rpm ac84eee038ed85559ebf546673adf7c42c3a7c80 8.0/openssl-devel-0.9.6b-36.8.legacy.i386.rpm 79d8707abfd99c986084cfd27a6bd36c9f9cbed4 8.0/openssl-perl-0.9.6b-36.8.legacy.i386.rpm f1a4c30a821906257cd366da1d4722c0aa3a1bd1 8.0/openssl095a-0.9.5a-24.8.legacy.i386.rpm ce72bc9efb616b3edbcd57ae563a5a5bed1fd23b 8.0/openssl095a-0.9.5a-24.8.legacy.src.rpm 5f8a85519016d6fb5619ca48cd81d0ec33eea28d 8.0/openssl096-0.9.6-24.8.legacy.i386.rpm 18edf79f6020e5cb8061660d1793254a40d4cdd2 8.0/openssl096-0.9.6-24.8.legacy.src.rpm d5eb15512e4d0a0f6488835b9096bf23a43989df 8.0/sha1sums [jkeating@bean openssl]$ for dir in *; do sha1sum ${dir}/*; echo; done cf6cd7a8637d0707e4d4b8b8562e161a5840b80a 7.x/openssl-0.9.6b-36.7.legacy.i386.rpm b099e1baa30422076be51970c16e582a5a454973 7.x/openssl-0.9.6b-36.7.legacy.i686.rpm b734c6290fee8fbd24a345945d0d78f3915baac2 7.x/openssl-devel-0.9.6b-36.7.legacy.i386.rpm 55525c0017d5f7d4809056a325471d967b064e8d 7.x/openssl-perl-0.9.6b-36.7.legacy.i386.rpm e90e044eea5a40bb478e141184e63d1856c49551 7.x/openssl095a-0.9.5a-24.7.3.legacy.i386.rpm c88d372d048aac024d13a1c04fe6e558e3058d57 7.x/openssl095a-0.9.5a-24.7.3.legacy.src.rpm ede50288945876f4292aa9d9e261e4b407409f40 7.x/openssl096-0.9.6-25.7.legacy.i386.rpm 7caa11572cd927e9dfb430802b161bdc202a4549 7.x/openssl096-0.9.6-25.7.legacy.src.rpm ac4b90e37ca4bd6be15f834184437de443023ca0 7.x/sha1sums 0775bf129233ddb8e1914723b6e2d07abee62486 8.0/openssl-0.9.6b-36.8.legacy.i386.rpm 2602438132f4050d372c125fa509ca299d40d248 8.0/openssl-0.9.6b-36.8.legacy.i686.rpm f6a98ecf439a09b001ffef0ef418ba3241944ef4 8.0/openssl-0.9.6b-36.8.legacy.src.rpm ac84eee038ed85559ebf546673adf7c42c3a7c80 8.0/openssl-devel-0.9.6b-36.8.legacy.i386.rpm 79d8707abfd99c986084cfd27a6bd36c9f9cbed4 8.0/openssl-perl-0.9.6b-36.8.legacy.i386.rpm f1a4c30a821906257cd366da1d4722c0aa3a1bd1 8.0/openssl095a-0.9.5a-24.8.legacy.i386.rpm ce72bc9efb616b3edbcd57ae563a5a5bed1fd23b 8.0/openssl095a-0.9.5a-24.8.legacy.src.rpm 5f8a85519016d6fb5619ca48cd81d0ec33eea28d 8.0/openssl096-0.9.6-24.8.legacy.i386.rpm 18edf79f6020e5cb8061660d1793254a40d4cdd2 8.0/openssl096-0.9.6-24.8.legacy.src.rpm d5eb15512e4d0a0f6488835b9096bf23a43989df 8.0/sha1sums -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAWnf44v2HLvE71NURAhvYAJ46xXLWc6OEjiGxZ8EH2zfUPxHkZgCeJxdQ 0BEragHy3KcqFsc8YNizoT4= =pwQ+ -----END PGP SIGNATURE----- ------- Additional Comments From jkeating@j2solutions.net 2004-03-18 18:38:01 ---- Hrm, that got thwacked. Here is just a URL list: 7.x http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl-0.9.6b-36.7.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl-0.9.6b-36.7.legacy.i686.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl-devel-0.9.6b-36.7.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl-perl-0.9.6b-36.7.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl095a-0.9.5a-24.7.3.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl095a-0.9.5a-24.7.3.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl096-0.9.6-25.7.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl096-0.9.6-25.7.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/sha1sums 8.0 http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl-0.9.6b-36.8.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl-0.9.6b-36.8.legacy.i686.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl-0.9.6b-36.8.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl-devel-0.9.6b-36.8.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl-perl-0.9.6b-36.8.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl095a-0.9.5a-24.8.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl095a-0.9.5a-24.8.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl096-0.9.6-24.8.legacy.i386.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/openssl096-0.9.6-24.8.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/8.0/sha1sums ------- Additional Comments From bugs.michael@gmx.net 2004-03-18 20:12:34 ---- missing: openssl-0.9.6b-36.7.legacy.src.rpm ------- Additional Comments From jkeating@j2solutions.net 2004-03-18 20:52:31 ---- Oops! Didn't get uploaded. It's there now. sha1sums was updated as well to reflect the new file. d2524c3b0eef250345dbf2daa902a1286a305ac5 7.x/openssl-0.9.6b-36.7.legacy.src.rpm 3356afbda872e2a4a87600b2e77fc62ff19a59ba 7.x/sha1sums http://geek.j2solutions.net/rpms/legacy/openssl/7.x/openssl-0.9.6b-36.7.legacy.src.rpm http://geek.j2solutions.net/rpms/legacy/openssl/7.x/sha1sums ------- Additional Comments From bugs.michael@gmx.net 2004-03-19 04:02:59 ---- rh73, interesting... binary rpm listing diffs : this shows how close the builds are to the previous rh73 errata packages. In two of the openssl packages, the "spinfix" and "recursion" patches don't even cause the built libraries to differ in size, and only the patched certificates show up. [...] openssl-0.9.6b-35.7.i386.rpm -> openssl096-0.9.6-25.7.legacy.i386.rpm --- old 2004-03-19 14:43:58.000000000 +0100 +++ new 2004-03-19 14:43:39.000000000 +0100 @@ -52,7 +52,7 @@ lrwxrwxrwx root root 19 /usr/share/ssl/cert.pem drwxr-xr-x root root 0 /usr/share/ssl/certs -rw-r--r-- root root 1832 /usr/share/ssl/certs/Makefile --rw-r--r-- root root 253688 /usr/share/ssl/certs/ca-bundle.crt +-rw-r--r-- root root 249373 /usr/share/ssl/certs/ca-bundle.crt -rw-r--r-- root root 610 /usr/share/ssl/certs/make-dummy-cert drwxr-xr-x root root 0 /usr/share/ssl/lib drwxr-xr-x root root 0 /usr/share/ssl/misc [...] openssl096-0.9.6-23.7.i386.rpm -> openssl096-0.9.6-25.7.legacy.i386.rpm --- old 2004-03-19 14:44:00.000000000 +0100 +++ new 2004-03-19 14:43:48.000000000 +0100 @@ -1,4 +1,4 @@ --rwxr-xr-x root root 882913 /usr/lib/libcrypto.so.0.9.6 +-rwxr-xr-x root root 882945 /usr/lib/libcrypto.so.0.9.6 -rwxr-xr-x root root 206309 /usr/lib/libssl.so.0.9.6 drwxr-xr-x root root 0 /usr/share/doc/openssl096-0.9.6 -rw-r--r-- root root 154209 /usr/share/doc/openssl096-0.9.6/CHANGES [...] openssl095a-0.9.5a-23.7.3.i386.rpm -> openssl095a-0.9.5a-24.7.3.legacy.i386.rpm -empty- ------- Additional Comments From jkeating@j2solutions.net 2004-03-19 05:49:05 ---- Well they both are extremely small patches... but this is why file size shouldn't be used to determine differences. (well, not accurately) ------- Additional Comments From michal@harddata.com 2004-03-19 09:30:16 ---- Where I can test it (i.e. RH7.3 installations) I do not see any problems either with binaries from Jesse or what I recompiled earlier myself. Yes, openssl-0.9.6b-36.src.rpm has an updated ca-bundle.crt. These things change over time. This likely should go quickly into updates. ------- Additional Comments From heinlein@cse.ogi.edu 2004-03-19 10:36:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've installed the updates on a handful of Red Hat 8.0 boxes, including one that does a fairly substantial amount of https work. So far, all is well. - -- Paul Heinlein <heinlein@cse.ogi.edu> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAW1miHjacYo9UyjURApqfAKCvz03Lf/Z2ZjrU2sI6MO/gNW/TFwCfVbzk wCsCt0EaZYwicEWUvP/lvLc= =Ifg+ -----END PGP SIGNATURE----- ------- Additional Comments From strobert@strobe.net 2004-03-20 22:23:53 ---- installed the openssl and openssl-devel packages for rh7.3 on a few test systems. Did some basic tests (ssh,scp) and working fine here. ------- Additional Comments From bugs.michael@gmx.net 2004-03-21 20:17:11 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 c88d372d048aac024d13a1c04fe6e558e3058d57 (manually wrapped for bugzilla) openssl095a-0.9.5a-24.7.3.legacy.src.rpm 7caa11572cd927e9dfb430802b161bdc202a4549 openssl096-0.9.6-25.7.legacy.src.rpm d2524c3b0eef250345dbf2daa902a1286a305ac5 openssl-0.9.6b-36.7.legacy.src.rpm * the src.rpm diffs against previous rh73 errata are good * included patches match those from the RHEL errata * binary builds look good (despite incomplete buildreq tags) and work for me (rh73) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAXoTQ0iMVcrivHFQRAnL4AJ4mqlE1noFe4TEzMfGe7uD3IvbAsQCdGWNs Rmz6+VoH/4eRBz0Rh0RbsT4= =cAZu -----END PGP SIGNATURE----- ------- Additional Comments From fedora-bugzilla@hrunting.org 2004-03-22 05:05:20 ---- I tested these packages on RH7.2 and RH7.3 systems and they work fine. How come it takes so long to push this into the download tree? I would expect that something this serious would at least be in updates-testing the same day. This is a VERY simple patch. ------- Additional Comments From jkeating@j2solutions.net 2004-03-22 06:37:51 ---- Yes it is simple. However the requirements to get this into testing are not having it work in current systems, but examining the changes from the old package to the new package, as well as the patches, to make sure that I didn't introduce anything nasty. Seems people were only interested in showing if the package worked or not. Michael Schwendt has done the appropriate checking for RHL 7.3, so I'll just have to trust that the rest of the packages are fine by proxy. Given that I made the packages, I have a higher degree of trust, but I am hesitant to streamline something I built due to appearance of favoritism or something like that. Things I build and provide should have to go through the same QA processes as something from anybody else. That said, I am in the process of building these for updates-testing. Should have them out there today, depending on my work load at work. ------- Additional Comments From christof@damian.net 2004-03-22 23:01:24 ---- I just tried to rebuild this package: http://download.fedoralegacy.org/redhat/7.2/updates-testing/SRPMS/openssl096-0.9.6-25.7.legacy.src.rpm but it produced: SRPMS/openssl095a-0.9.5a-23.7.3.src.rpm i386/openssl095a-0.9.5a-23.7.3.i386.rpm ------- Additional Comments From christof@damian.net 2004-03-22 23:13:02 ---- Please ignore the last comment, my mistake. ------- Additional Comments From strobert@strobe.net 2004-03-23 22:20:26 ---- Okay, I follow your comment (#12). These were already verified on rh7.3, but did additional verification for rh7.3 (sorry only build environments I have are for rh6.2 and rh7.3 -- we run those two plus as2.1 and es2.1). Confirmed only files in the SRPM that changed from the final RedHat errata (35.7) and the one here (36.7.legacy, d2524c3b0eef250345dbf2daa902a1286a305ac5 sda1sum) were: - ./ca-bundle.crt: - removal of expired 'CyberTrust Japan, Inc' cert - removal of trustcenter.de class 0 cert - addition of usertrust.com cert - ./openssl.spec: changelog, the release, and the additional two patches - these two additions: ./openssl-0.9.6b-recursion.patch ./openssl-0.9.6c-spinfix.patch these are the same changed files between the 35.7 and 36 SRPMS's for as2.1. And outside of minor diffs in the spec file (different changelog entires for this fix and different release numbers), the contents of the SRPM provided (36.7.legacy) and AS2.1's build 36 are identical. Did rpmbuild --rebuild of the SRPM on our official rh7.x arch rpm build machine and it built the appropriate rpms. So looks kosher from my viewpoint. ------- Additional Comments From jpdalbec@ysu.edu 2004-03-25 09:19:43 ---- updates-testing does not seem to have an i686-optimized version of the new openssl package. Do you plan to fix this? ------- Additional Comments From jkeating@j2solutions.net 2004-03-25 09:32:16 ---- RHL 7.3 and 8.0 has i686 packages for openssl-0.9.6b. These were the only packages that were i686 built by Red Hat for previous versions of openssl, and thus they are the only ones Fedora Legacy will provide for openssl. ------- Additional Comments From strobert@strobe.net 2004-03-25 10:41:01 ---- from my rh7.3 tree: /install/rh73/approved/general/openssl-0.9.6b-35.7.i386.rpm /install/rh73/approved/general/openssl-0.9.6b-35.7.i686.rpm /install/rh73/approved/general/openssl-devel-0.9.6b-35.7.i386.rpm /install/rh73/approved/general/openssl-perl-0.9.6b-35.7.i386.rpm /install/rh73/approved/general/openssl095a-0.9.5a-23.7.3.i386.rpm /install/rh73/approved/general/openssl096-0.9.6-23.7.i386.rpm so yup, only i686 package is openssl-0.9.6b-35.7.i686.rpm. looked in updates-testing, and it has the same package set. I am still new on fedora legacy, so is there anything I can do to help in the process to move it to the next phase please let me know. I am planning on pulling down the updates-testing rpm's and installing them on test machiens and doing basic tests, but didn't know if there were specific things I could be doing. ------- Additional Comments From jpdalbec@ysu.edu 2004-03-26 05:17:24 ---- My mistake, I see you have those packages and the appropriate header files. I guess I'm hitting a yum bug, which i've reported as bug #1425. ------- Additional Comments From Milan.Slanar@fs.cvut.cz 2004-03-28 23:03:24 ---- on comment #17: RHL 7.2 have no i686 package of openssl, but all official Red Hat updates of openssl for RHL 7.2 have i686 package. So i686 package should be provided for RHL 7.2. ------- Additional Comments From jpdalbec@ysu.edu 2004-03-29 08:33:51 ---- Created an attachment (id=611) differences in summary files for openssl packages -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH 7.3 014a4d8fec25dde48ee8f8c14cc5250afc687542 openssl-0.9.6b-36.7.legacy.i386.rpm c4403aff66cc3891418f2f4a5fc9632ed87c6f79 openssl-0.9.6b-36.7.legacy.i686.rpm 8b3fca54a08ae67a3ee5c5b6dfc0a166a31d9a1c \ openssl-devel-0.9.6b-36.7.legacy.i386.rpm bfb7a080b0afe36bba4de6431d68110cd30636aa \ openssl-perl-0.9.6b-36.7.legacy.i386.rpm fff610245bcd73fce6b78c0e7f4155cf0c627762 \ openssl095a-0.9.5a-24.7.3.legacy.i386.rpm f678d1b885a8236301afb4f92da2d451599643ce openssl096-0.9.6-25.7.legacy.i386.rpm * SSH works OK * no ldd differences -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAaGuVJL4A+ldA7asRAnkbAKCSgJYSs6Dt8KXSDW+U+KoAEV0egwCgpPNw 3+BzHRiGClFdUKDRwBepAzE= =Q2Mv -----END PGP SIGNATURE----- ------- Additional Comments From jpdalbec@ysu.edu 2004-03-29 08:37:04 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY RH 7.3 014a4d8fec25dde48ee8f8c14cc5250afc687542 openssl-0.9.6b-36.7.legacy.i386.rpm c4403aff66cc3891418f2f4a5fc9632ed87c6f79 openssl-0.9.6b-36.7.legacy.i686.rpm 8b3fca54a08ae67a3ee5c5b6dfc0a166a31d9a1c \ openssl-devel-0.9.6b-36.7.legacy.i386.rpm bfb7a080b0afe36bba4de6431d68110cd30636aa \ openssl-perl-0.9.6b-36.7.legacy.i386.rpm fff610245bcd73fce6b78c0e7f4155cf0c627762 \ openssl095a-0.9.5a-24.7.3.legacy.i386.rpm f678d1b885a8236301afb4f92da2d451599643ce openssl096-0.9.6-25.7.legacy.i386.rpm * SSH works OK * no ldd differences -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAaGuVJL4A+ldA7asRAnkbAKCSgJYSs6Dt8KXSDW+U+KoAEV0egwCgpPNw 3+BzHRiGClFdUKDRwBepAzE= =Q2Mv -----END PGP SIGNATURE----- ------- Additional Comments From jkeating@j2solutions.net 2004-03-29 11:58:34 ---- My bad, I thought I looked and didn't find any i686 version of openssl. The 7.3 packages ARE the 7.2 packages, so when I release it fully, there will be 7.2 i686 packages. For now if you want to verify the 7.3 i686 packages on 7.2, that would be cool. I'm out of town until Wed, I'll try to push them out to updates then. ------- Additional Comments From rostetter@mail.utexas.edu 2004-04-05 10:58:05 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I downloaded and installed the RH 8.0 updates-testing rpms for openssl (i686), openssl-devel, libtool, and libtool-libs. I've not tested the libtool stuff heavily, but in limited testing I've seen no problems. The openssl stuff is taking a beating (https, pop3/ssl, imap/ssl, ssh, etc on a very busy system) and is holding up fine with no problems seen. My vote is to publish these packages RH 8.0 asap. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAccgm4jZRbknHoPIRAkChAJ9jcJKF6ai3jASh4OtbtGjsTlmVZwCeIDyE tqvl9To3p9mWuZCTmhQrEmg= =+jKC -----END PGP SIGNATURE----- ------- Additional Comments From jkeating@j2solutions.net 2004-05-08 06:41:58 ---- Pushed to Updates. ------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:24 ------- This bug previously known as bug 1395 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1395 Originally filed under the Fedora Legacy product and General component. Attachments: differences in summary files for openssl packages https://bugzilla.fedora.us/attachment.cgi?action=view&id=611 Unknown priority P1. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown severity critical. Setting to default severity "normal". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.