Bug 166939 - multiple openssl vulnerabilities - CVE-2005-0109, -2969, CVE-2004-0079, CVE-2003-0851
multiple openssl vulnerabilities - CVE-2005-0109, -2969, CVE-2004-0079, CVE-...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: openssl (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
rh7, rh9, 1, 2
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-28 08:25 EDT by Jeff Sheltren
Modified: 2007-04-18 13:30 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-18 00:05:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Original comment 25. (2.31 KB, text/plain)
2005-11-20 18:44 EST, David Eisenstein
no flags Details

  None (edit)
Description Jeff Sheltren 2005-08-28 08:25:44 EDT
Colin Percival reported a cache timing attack that could allow a malicious
local user to gain portions of cryptographic keys. The Common
Vulnerabilities and Exposures project (cve.mitre.org) assigned the name
CAN-2005-0109 to the issue. The OpenSSL library has been patched to add a
new fixed-window mod_exp implementation as default for RSA, DSA, and DH
private-key operations. This patch is designed to mitigate cache timing
and potentially related attacks.

A flaw was found in the way the der_chop script creates temporary files. It
is possible that a malicious local user could cause der_chop to overwrite
files (CAN-2004-0975).

2005-0109 effects all legacy distributions, the 2nd issue I believe is in all of
them, but may not effect fc2.

See https://rhn.redhat.com/errata/RHSA-2005-476.html
Comment 1 Pekka Savola 2005-08-28 12:47:03 EDT
Removing CAN-2004-0975, as this was already fixed in our update back in March 2005.
Comment 2 Jeff Sheltren 2005-08-28 13:18:26 EDT
Pekka, thanks, I missed that update.  I'm working on packages for CAN-2005-0109 now.
Comment 3 Jeff Sheltren 2005-08-28 14:45:48 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've created updated packages for fc2.  I'll try to get the rest done tomorrow.
I included the patch for CAN-2004-0975 in the fc2 openssl-0.9.7a package since I
didn't see a legacy release for FC2.  Also, I added a zlib-devel as a buildreq
for the 0.9.6b package.

1691e826aaef08cc7de8941816251dfd434b034a  openssl096b-0.9.6b-20.1.legacy.src.rpm
5d3d66198319e105a8a1b58158599e0fb2e5a889  openssl-0.9.7a-35.1.legacy.src.rpm

http://www.cs.ucsb.edu/~jeff/legacy/openssl/fc2/openssl096b-0.9.6b-20.1.legacy.src.rpm
http://www.cs.ucsb.edu/~jeff/legacy/openssl/fc2/openssl-0.9.7a-35.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDEgXZKe7MLJjUbNMRApJ3AKCue6GBpB7zfvbiVB10PH7wxtgpxgCfacvT
zDvqHhYAENGGjic7bJlVysU=
=CayB
-----END PGP SIGNATURE-----
Comment 4 Jeff Sheltren 2005-08-29 16:04:15 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The rest of the packages can be found here:
http://www.cs.ucsb.edu/~jeff/legacy/openssl/

e4e22e5c40cdfef577120f280a433f52afb88bb0 
rh73/openssl095a-0.9.5a-24.7.4.legacy.src.rpm
2b69cfe7bd67bb6d05e0131e4a0968bca5efabff  rh73/openssl096-0.9.6-25.8.legacy.src.rpm
c5a724dcb9498d2f8f714be2d49cc2228dd6cee2  rh73/openssl-0.9.6b-39.8.legacy.src.rpm
70e2c532c3fa1c7931320de9adb07ec9e2aca5d5  rh9/openssl096-0.9.6-25.10.legacy.src.rpm
fc4926cdb258e906e853cdb506464d857c647fc1  rh9/openssl096b-0.9.6b-15.1.legacy.src.rpm
5a58272c283908ec8bfa22585de4a50ac8ae1466  rh9/openssl-0.9.7a-20.5.legacy.src.rpm
09265056469ef25ef5e5474dd91e9b237fed06d2  fc1/openssl096-0.9.6-26.1.legacy.src.rpm
8d08166d9e724bf5521be1eb0bb172bfbc4fe74c  fc1/openssl096b-0.9.6b-18.1.legacy.src.rpm
c67d07931d188adebad6e5a4c788fee04370e2f0  fc1/openssl-0.9.7a-33.12.legacy.src.rpm

They're all patched for CAN-2005-0109, and a few of them also were
missing the zlib-devel build requirement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDE2pIKe7MLJjUbNMRAuP3AKCF7AjMx4jmNaL9Wmu2sMlYkAqs2gCfTiXV
pSnpZWii+rNu5pfv2KEAQBs=
=b8WU
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-08-30 01:26:32 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity verified
 - all the patches verified to be identical to RHEL.
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
e4e22e5c40cdfef577120f280a433f52afb88bb0  openssl095a-0.9.5a-24.7.4.legacy.src.rpm
70e2c532c3fa1c7931320de9adb07ec9e2aca5d5  openssl096-0.9.6-25.10.legacy.src.rpm
2b69cfe7bd67bb6d05e0131e4a0968bca5efabff  openssl096-0.9.6-25.8.legacy.src.rpm
09265056469ef25ef5e5474dd91e9b237fed06d2  openssl096-0.9.6-26.1.legacy.src.rpm
fc4926cdb258e906e853cdb506464d857c647fc1  openssl096b-0.9.6b-15.1.legacy.src.rpm
8d08166d9e724bf5521be1eb0bb172bfbc4fe74c  openssl096b-0.9.6b-18.1.legacy.src.rpm
1691e826aaef08cc7de8941816251dfd434b034a  openssl096b-0.9.6b-20.1.legacy.src.rpm
c5a724dcb9498d2f8f714be2d49cc2228dd6cee2  openssl-0.9.6b-39.8.legacy.src.rpm
5a58272c283908ec8bfa22585de4a50ac8ae1466  openssl-0.9.7a-20.5.legacy.src.rpm
c67d07931d188adebad6e5a4c788fee04370e2f0  openssl-0.9.7a-33.12.legacy.src.rpm
5d3d66198319e105a8a1b58158599e0fb2e5a889  openssl-0.9.7a-35.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDE+4eGHbTkzxSL7QRAuPHAJ4n1GXeJDnDzgUuIXGuF7bybaJZCACgp1yx
NKFuXbz+tLgQFjqe1BHzikY=
=tZ9G
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2005-10-22 09:49:07 EDT
We need to start these ones over. The CAN-2005-0109 patch we used from RHEL is
broken. Red Hat have released a fixed patch in advisory
https://rhn.redhat.com/errata/RHSA-2005-800.html.

We must also fix CAN-2005-2969.
Comment 7 Jeff Sheltren 2005-10-22 10:08:56 EDT
Hi Marc, I'll put together updated packages to fix CAN-2005-2969, but I don't
see any difference in the patch for CAN-2005-0109 from what was released
previously.  What has changed in that patch?
Comment 8 Jeff Sheltren 2005-10-22 10:11:59 EDT
Of course I will realize the difference right after I post :)

Looks like a dsa-consttime.patch has been added.  I'll incorporate that into the
new packages.
Comment 9 Jeff Sheltren 2005-10-22 13:22:36 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, let's give these a try:
http://www.cs.ucsb.edu/~jeff/legacy/openssl/

rh73:
d1e76bfc67af1b0ae1b0149f08ff7d4265f3d62e  openssl095a-0.9.5a-24.7.5.legacy.src.rpm
65756a2c9a8de124d8d70045aa999b6fa770cdcb  openssl096-0.9.6-25.9.legacy.src.rpm
0b96c2812f483e0c600942a1e07253381b1e832d  openssl-0.9.6b-39.9.legacy.src.rpm

rh9:
4fe95f01576af9f3a89c233c01f876500e417e42  openssl096-0.9.6-25.11.legacy.src.rpm
f8c301ebc2bf4306f9c1e9bed75eafb60d4ae756  openssl096b-0.9.6b-15.2.legacy.src.rpm
6a6d3c0f0388875d39cbee2e000b117f3702ea6e  openssl-0.9.7a-20.6.legacy.src.rpm

fc1:
33b780ffe851ad8cbc17e72dccf82d568fc19dce  openssl096-0.9.6-26.2.legacy.src.rpm
f085cdf15a7b6aee72f225f4344767ee530d6286  openssl096b-0.9.6b-18.2.legacy.src.rpm
26d97acb02c8f38ceced2799d7ca9eb74c9fb661  openssl-0.9.7a-33.13.legacy.src.rpm

fc2:
ab8e656a7c59e4dddbe9aa2f2c013e71aa603260  openssl096b-0.9.6b-20.2.legacy.src.rpm
b8b7e3eb4cd7a52597fc71c581cdd2165bff1d19  openssl-0.9.7a-35.2.legacy.src.rpm

Added the extra patch for CAN-2005-0109 and patch for CAN-2005-2969.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDWnXAKe7MLJjUbNMRAg0eAJ0QSXFxxuLmS8ITxwbruYjKRbFT4gCgzAPj
eNVUWiKZZaLELOs6CZow6Fw=
=lo4X
-----END PGP SIGNATURE-----
Comment 10 Pekka Savola 2005-10-24 05:56:33 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes minimal
 - patches verified to come from various RHEL packages
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
d1e76bfc67af1b0ae1b0149f08ff7d4265f3d62e  openssl095a-0.9.5a-24.7.5.legacy.src.rpm
4fe95f01576af9f3a89c233c01f876500e417e42  openssl096-0.9.6-25.11.legacy.src.rpm
65756a2c9a8de124d8d70045aa999b6fa770cdcb  openssl096-0.9.6-25.9.legacy.src.rpm
33b780ffe851ad8cbc17e72dccf82d568fc19dce  openssl096-0.9.6-26.2.legacy.src.rpm
f8c301ebc2bf4306f9c1e9bed75eafb60d4ae756  openssl096b-0.9.6b-15.2.legacy.src.rpm
f085cdf15a7b6aee72f225f4344767ee530d6286  openssl096b-0.9.6b-18.2.legacy.src.rpm
ab8e656a7c59e4dddbe9aa2f2c013e71aa603260  openssl096b-0.9.6b-20.2.legacy.src.rpm
0b96c2812f483e0c600942a1e07253381b1e832d  openssl-0.9.6b-39.9.legacy.src.rpm
6a6d3c0f0388875d39cbee2e000b117f3702ea6e  openssl-0.9.7a-20.6.legacy.src.rpm
26d97acb02c8f38ceced2799d7ca9eb74c9fb661  openssl-0.9.7a-33.13.legacy.src.rpm
b8b7e3eb4cd7a52597fc71c581cdd2165bff1d19  openssl-0.9.7a-35.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDXLAmGHbTkzxSL7QRAjaWAKCJ93UO5aDwKzOZyLOqMwm2af8NTwCcCHrK
xESMMrW8233la2oEtTiGsUw=
=BHcS
-----END PGP SIGNATURE-----
Comment 11 Pekka Savola 2005-10-24 06:02:36 EDT
Whoops, wrong flags :)
Comment 12 Michal Jaegermann 2005-10-25 11:52:46 EDT
RHEL and other distributions simply dropped a long obsolete 'der_chop' perl
program which is no longer available in openssl CVS too.  Instead of that we are
adding, at least to openssl-0.9.6b-39.9.legacy.src.rpm, a patch
openssl-0.9.7c-tempfile.patch to cover CAN-2004-0975 (bug #136302).  Maybe it is
a good time to follow example of others and also drop 'der_chop'?  If some other
problems show up in it there are not likely be reported.  OTOH chances that
somebody is really using that script seem to be extremely remote.
Comment 13 Pekka Savola 2005-10-26 02:08:23 EDT
I don't see any reason not to drop der_chop, but I wouldn't want to respin the
packages now to do that.
Comment 14 Marc Deslauriers 2005-10-30 18:40:37 EST
Packages were moved to updates-testing.
Comment 15 Tom Yates 2005-10-31 05:02:39 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
e97a1fb8963711a2c97e298173d30fe64abd7a3f  openssl-0.9.7a-20.6.legacy.i686.rpm
dca80e912b43137b71e966cdc956b50324fd59fc  openssl-devel-0.9.7a-20.6.legacy.i386.rpm
 
installed fine.  openssl still works at CLI (openssl s_client -connect
www.teaparty.net:443), apache stops and starts fine (is dependent on libssl).
 
+VERIFY RH9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFDZewnePtvKV31zw4RAq/hAKCiBwCV/U4pdOfKHJMjmQqte/UUsACeJUaL
eewN7ac/VpxuTeWYHf6TucU=
=06lo
-----END PGP SIGNATURE-----
Comment 16 Jeff Sheltren 2005-10-31 05:48:24 EST
Marc, when these get pushed to updates, I think we need something like the
following in the announcement:

"Please note: After installing this update, users are advised to either
restart all services that use OpenSSL or restart their system."
Comment 17 David Eisenstein 2005-11-02 15:46:43 EST
Does this CVE-2004-0079 issue affect us as well on the (OpenSSL 0.9.6b)
we're updating here?

Red Hat today issued
  * RHSA-2005:829-00 <http://rhn.redhat.com/errata/RHSA-2005-829.html>
  * RHSA-2005:830-00 <http://rhn.redhat.com/errata/RHSA-2005-830.html> and
to fix CVE-2004-0079 for OpenSSL 0.9.6b for RHEL 2.1 and RHEL 3 & 4 :

"The OpenSSL toolkit implements Secure Sockets Layer (SSL v2/v3),
Transport Layer Security (TLS v1) protocols, and serves as a full-strength
general purpose cryptography library.  (OpenSSL 0.9.6b libraries are provided
for Red Hat Enterprise Linux 3 and 4 to allow compatibility with legacy
applications.)

"Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool
uncovered a null-pointer assignment in the do_change_cipher_spec()
function.  A remote attacker could perform a carefully crafted SSL/TLS
handshake against a server that uses the OpenSSL library in such a way as
to cause OpenSSL to crash.  Depending on the server this could lead to a
denial of service.  (CVE-2004-0079)

"This issue was reported as not affecting OpenSSL versions prior to 0.9.6c,
and testing with the Codenomicon Test Tool showed that OpenSSL 0.9.6b as
shipped as a compatibility library with Red Hat Enterprise Linux 3 and 4
did not crash.  However, an alternative reproducer has been written which
shows that this issue does affect versions of OpenSSL prior to 0.9.6c."

Only in RHSA-2005:829:  "Users of OpenSSL are advised to upgrade to these
updated packages, which contain a patch provided by the OpenSSL group that
protects against this issue.

"NOTE: Because server applications are affected by this issue, users are
advised to either restart all services that use OpenSSL functionality or
restart their systems after installing these updates."

Only in RHSA-2005:830:  "Note that Red Hat does not ship any applications
with Red Hat Enterprise Linux 3 or 4 that use these compatibility libraries."
Comment 18 Marc Deslauriers 2005-11-02 18:03:46 EST
yep..it affects us...we need updated packages. :(
Comment 19 David Eisenstein 2005-11-07 17:56:52 EST
The openssl-0.9.7a packages don't need the fix for CVE-2004-0079.  That issue
has been fixed for these packages.**

Since we appear to have two different families of OpenSSL packages, the
  1) openssl(xxx)-0.9.6...legacy.rpm's, which are vulnerable to this CVE, and
  2) openssl-0.9.7a...legacy.rpm's, which aren't  --

why don't we split off this newly-discovered CVE-2004-0079 issue into a new
bug ticket that just fixes the older 0.9.6{,a,b} packages?

If we do that, all that will remain to do in this ticket will be VERIFY
QA's for:
   * RH 9:  only openssl-0.9.7a-20.6.legacy binaries (which don't need
     this fix, and we already have one VERIFY QA for these);
   * FC1:  only openssl-0.9.7a-33.13.legacy binaries (which don't need
     this fix);
   * FC2:  only openssl-0.9.7a-35.2.legacy binaries (which don't need
     this fix).

and we will have to work with in the new ticket:
   * For RH 7.3:
      - (potentially) openssl095a-0.9.5a-24.7.5.legacy.src.rpm
      - openssl096-0.9.6-25.10.legacy.src.rpm
      - openssl-0.9.6b-39.9.legacy.src.rpm
   * For RH 9:
      - openssl096-0.9.6-25.11.legacy.src.rpm
      - openssl096b-0.9.6b-15.2.legacy.src.rpm
   * For FC1:
      - openssl096-0.9.6-26.2.legacy.src.rpm
      - openssl096b-0.9.6b-18.2.legacy.src.rpm
   * and for FC2:
      - openssl096b-0.9.6b-20.2.legacy.src.rpm

That way we can continue the VERIFY testing for RH9 (already verified), FC1
and FC2 for their newer openssl's (which are what those distros' other packages
use by default anyway) and close this bug sooner.

I'll be happy to open a new bug report for just the 0.9.6's and CVE-2004-0079.
Let me know?

-----

**  For openssl-0.9.7a packages for CVE-2004-0079:
  * RH7.3 doesn't have 0.9.7a packages;
  * RH9 was fixed by RHSA-2004:121-01:
<http://www.redhat.com/archives/redhat-watch-list/2004-March/msg00005.html>;
  * FC1 had a fix issued in Update Notification FEDORA-2004-095:
<http://www.redhat.com/archives/fedora-announce-list/2004-March/msg00020.html>;
  * FC2 should have been issued with this patch in place.
Comment 20 Marc Deslauriers 2005-11-07 22:07:26 EST
Let's just keep it simple and keep it all here. If you can make new 0.9.6
packages, I'll check them out myself and push them to updates-testing ASAP.

Comment 21 David Eisenstein 2005-11-08 22:59:41 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VERIFY QA for openssl for FC1 in updates-testing:

620c574712782b4e349ed1392d1d674507a146cc  openssl-0.9.7a-33.13.legacy.i386.rpm
5ce78af8e1d18ec2deb174ac6fdce6e84c68e46a
    openssl-devel-0.9.7a-33.13.legacy.i386.rpm

  * Packages installed fine.
  * Packages work well with all openssl-linked applications
  * Like Tom Yates, can run openssl fine from the command-line.
  * Am using openssl-devel in compiling ethereal.  No problems encountered.

  VERIFY++ FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDcXQyxou1V/j9XZwRAjFzAKCeneIQuovPm8wYAfe82CmAsAZZbACguvMU
OnQtZQi+d/ITLy/kqBO7Q5w=
=5GZD
-----END PGP SIGNATURE-----
Comment 22 David Eisenstein 2005-11-12 20:53:33 EST
Re: comment 20

After talking on IRC, I agree, it would be simpler to keep it all in this bug
report.  It was a bad idea to split it up.

Am in the process of downloading the source rpm's for the vulnerable versions
of openssl (0.9.5, 0.9.6, 0.9.6b) to apply appropriate patches & submit updated
.src.rpm's.
Comment 23 David Eisenstein 2005-11-15 23:33:27 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are source packages for RH7.3 to review for the newly-discovered 
CVE-2004-0079 issue in openssl-0.9.6b and earlier versions of openssl.
(Am continuing to work on producing such packages for our other 3
distros and will submit them in a separate comment.)

===========_SHA1SUM_====================__==============_RPM_=====================
ccfd84dbf258db5a2999552d5bb9591150810caf__openssl095a-0.9.5a-24.7.6.legacy.src.rpm
a8d4c4da25012293e70079e464820f2c19b3a46b__openssl096-0.9.6-25.11.legacy.src.rpm
fe65e479e1a578f0f766de98259df40feb982f94__openssl-0.9.6b-39.10.legacy.src.rpm

RH7.3 Changelogs:  (n.b.:  I've munged email addresses here; they're fine
		    in the rpms.)

openssl095a-0.9.5a-24.7.6.legacy
================================
* Mon Nov 14 2005 David Eisenstein <deisenst@...>  0.9.5a-24.7.6.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.5a-24.7.5.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.5a-24.7.4.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)
- - add missing buildreq: zlib-devel

openssl096-0.9.6-25.11.legacy
=============================
* Mon Nov 14 2005 David Eisenstein <deisenst@...> 0.9.6-25.11.legacy
- - Add RPM_OPT_FLAGS to the compile of openssl-thread-test, as RHEL21 has.
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).

* Wed Oct 26 2005 Marc Deslauriers <marcdeslauriers@...> 0.9.6-25.10.legacy
- - Added missing zlib-devel BuildPrereq

* Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.9.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.8.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)

openssl-0.9.6b-39.10.legacy
===========================
* Tue Nov 15 2005 David Eisenstein <deisenst@...> 0.9.6b-39.10.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
- - remove deprecated der_chop, as upstream cvs has done (CAN-2004-0975,
  #136302), per Michal Jaegermann in #166939 comment 12 and Nalin Dahyabhai in
  RHEL2.1's 0.9.6b-37.  Replaces patch34 (openssl-0.9.7c-tempfile.patch) with
  a new patch34 (openssl-0.9.7a-no-der_chop.patch).
- - replaced add-luna patch with new one with right license, per Tomas Mraz 
  in RHEL 2.1's 0.9.6b-39 (#158061).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6b-39.9.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6b-39.8.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDerbzxou1V/j9XZwRAnJsAJwP/a2yz+rVz7q3sM45yNiHM+mMkgCeP98X
4Z+WoVwCQaEjqKUn7Z6R4UE=
=K3CP
-----END PGP SIGNATURE-----
Comment 24 David Eisenstein 2005-11-15 23:55:52 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, I suppose it would help to indicate, for comment #23, where one can
download those RH7.3 packages for testing.

http://fedoralegacy.org/contrib/openssl/openssl095a-0.9.5a-24.7.6.legacy.src.rpm
http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-25.11.legacy.src.rpm
http://fedoralegacy.org/contrib/openssl/openssl-0.9.6b-39.10.legacy.src.rpm

Been a long day.  :^)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDerwUxou1V/j9XZwRAnt/AKDGAMF2HaVYmjnV+jvscAiv6nokZQCeIHUm
D6ejS+XVMHhjnFNRZqhxFCk=
=KkZd
-----END PGP SIGNATURE-----
Comment 25 David Eisenstein 2005-11-20 05:15:23 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are source packages for RH9.  Please review and comment.

===========_SHA1SUM_====================__==============_RPM_================
b4d1011200561a6b1714a6a6435fad4956b64c7a__openssl096-0.9.6-25.12.legacy.src.rpm
67249e038c2853d011c1075983c335eec9df7bac__openssl096b-0.9.6b-15.3.legacy.src.rpm

http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-25.12.legacy.src.rpm
http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-15.3.legacy.src.rpm

RH 9 Changelogs:

openssl096-0.9.6-25.12.legacy
=============================
* Tue Nov 15 2005 David Eisenstein <deisenst@...> 0.9.6-25.12.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
                                                                               
                       
* Sat Oct 22 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.11.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@...> 0.9.6-25.10.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)
- - add missing buildreq: zlib-devel

openssl096b-0.9.6b-15.3.legacy
==============================
* Fri Nov 18 2005 David Eisenstein <deisenst@gtw.net> 0.9.6b-15.3.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) 
  to sync with RHEL 2.1AS (or RH7.3, in our case).
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
- - Replaced add-luna patch with new one with right license, per Tomas Mraz 
  in RHEL 3's 0.9.6b-16.22.3 (#158061).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-15.2.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-15.1.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)
- - add missing buildreq: zlib-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDgEx1xou1V/j9XZwRArDHAKD+uOvBjJhmCYz7MaPKnYtKfXgIBACgjDmA
ldMdqJOczrf22QKdvliXpDM=
=SAb4
-----END PGP SIGNATURE-----
Comment 26 David Eisenstein 2005-11-20 05:46:24 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are source packages for FC1.  Please review and comment.

===========_SHA1SUM_====================__==============_RPM_================
2d520186611573b11141733314a812fb709df1e9__openssl096-0.9.6-26.3.legacy.src.rpm
7a909692a98cffe23bb07042a589922af56ed157__openssl096-0.9.6-26.3.legacy.i386.rpm

5d0d6eb6153468239b95b7d5f370704927be2630__openssl096b-0.9.6b-18.3.legacy.src.rpm
f781bffc92535095778a4767d91f8fc2a217b118__openssl096b-0.9.6b-18.3.legacy.i386.rpm

http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-26.3.legacy.src.rpm
http://fedoralegacy.org/contrib/openssl/openssl096-0.9.6-26.3.legacy.i386.rpm

http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-18.3.legacy.src.rpm
http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-18.3.legacy.i386.rpm

FC1 Changelogs:

openssl096-0.9.6-26.3.legacy
============================
* Mon Nov 14 2005 David Eisenstein <deisenst@gtw.net> 0.9.6-26.3.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6-26.2.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6-26.1.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)
- - add missing buildreq: zlib-devel

openssl096b-0.9.6b-18.3.legacy
==============================
* Sat Nov 19 2005 David Eisenstein <deisenst@gtw.net> 0.9.6b-18.3.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) 
  to sync with RHEL 2.1AS (or RH7.3, in our case).
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
- - Replaced add-luna patch with new one with right license, per Tomas Mraz 
  in RHEL 3's 0.9.6b-16.22.3 (#158061).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-18.2.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Mon Aug 29 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-18.1.legacy
- - patch for cache timing exploit CAN-2005-0109 (#166939)
- - add missing buildreq: zlib-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDgFP1xou1V/j9XZwRApMRAJ9vIcUsK/cETN0LXLyzRJCP0tzujQCeOMEy
aDSkDTm7ob1qDRKCNAwj3PM=
=nPgd
-----END PGP SIGNATURE-----
Comment 27 Pekka Savola 2005-11-20 08:27:31 EST
Only FC2 missing and we're done at last.. :)
Comment 28 David Eisenstein 2005-11-20 17:55:07 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

And finally, here is the source package for FC2.  Please review and comment.

===========_SHA1SUM_====================__==============_RPM_===================
2055d5a4a2743b2a031f704ca5b79819b5be89fc  openssl096b-0.9.6b-20.3.legacy.src.rpm

http://fedoralegacy.org/contrib/openssl/openssl096b-0.9.6b-20.3.legacy.src.rpm

FC2 Changelogs:

* Sat Nov 19 2005 David Eisenstein <deisenst@gtw.net> 0.9.6b-20.3.legacy
- - Add patch to fix null-pointer dereference DoS, CVE-2004-0079  (#166939)
- - As per RHEL3, add security fix for CVE-2003-0851 (deep recursion patch) 
  to sync with RHEL 2.1AS (or RH7.3, in our case).
- - Change spec define thread_test_threads from 100 to 10 for a reasonable
  build time (a la RHEL).
- - Replaced add-luna patch with new one with right license, per Tomas Mraz 
  in RHEL 3's 0.9.6b-16.22.3 (#158061).

* Sat Oct 22 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-20.2.legacy
- - Add extra patch to fix CAN-2005-0109
- - Patch to prevent version rollback, CAN-2005-2969 (#166939)

* Sun Aug 28 2005 Jeff Sheltren <sheltren@cs.ucsb.edu> 0.9.6b-20.1.legacy
- - Patch for cache timing, CAN-2005-0109 (#166939)
- - Add missing buildreq: zlib-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDgP7Axou1V/j9XZwRAsMkAKCZ1bTNgM66JRoFGMcLJUBiX1O8kwCfUn3E
TC18PZw+2T65cHoO9wsP6Qc=
=Bsj5
-----END PGP SIGNATURE-----
Comment 29 David Eisenstein 2005-11-20 18:44:03 EST
Created attachment 121284 [details]
Original comment 25.

Due to limitations in Bugzilla's web interface, comment 25 was corrupted in
transmission and does not properly verify.  Attached is the original comment 25

(submission of RH9 source packages for openssl096 and openssl096b).
Comment 30 Pekka Savola 2005-11-21 08:20:13 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - recursion and 0079 patches identical to RHEL, and exist in all
   versions; other patches just cleanups.
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
fe65e479e1a578f0f766de98259df40feb982f94  openssl-0.9.6b-39.10.legacy.src.rpm
ccfd84dbf258db5a2999552d5bb9591150810caf  openssl095a-0.9.5a-24.7.6.legacy.src.rpm
a8d4c4da25012293e70079e464820f2c19b3a46b  openssl096-0.9.6-25.11.legacy.src.rpm
b4d1011200561a6b1714a6a6435fad4956b64c7a  openssl096-0.9.6-25.12.legacy.src.rpm
67249e038c2853d011c1075983c335eec9df7bac  openssl096b-0.9.6b-15.3.legacy.src.rpm
2d520186611573b11141733314a812fb709df1e9  openssl096-0.9.6-26.3.legacy.src.rpm
5d0d6eb6153468239b95b7d5f370704927be2630  openssl096b-0.9.6b-18.3.legacy.src.rpm
2055d5a4a2743b2a031f704ca5b79819b5be89fc  openssl096b-0.9.6b-20.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDgcmrGHbTkzxSL7QRAt5QAJ41AS7ILauwgRxrLSpYPrkB6JU/vACg1kMr
vMCYJVFUSCOA5eB+uyg/FCg=
=GfZ8
-----END PGP SIGNATURE-----
Comment 31 Marc Deslauriers 2005-11-24 20:06:26 EST
Updated packages were pushed to updates-testing.
Comment 32 Pekka Savola 2005-11-28 13:19:26 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RHL73 and RHL9:
 - signatures OK
 - upgrades went fine
 - restarted a couple of daemons using openssl (new and old libs),
   continued to work fine.

+VERIFY RHL73,RH9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDi0qvGHbTkzxSL7QRAgRwAJ9ReybKzHopJTXuE7kM2Wqgax7qKACeOOcr
YJeQ0RxyNmVs7bWhBROAWhI=
=yq7x
-----END PGP SIGNATURE-----
Comment 33 Jim Popovitch 2005-12-04 22:00:03 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

++VERIFIED RH73

Works well in production systems using https and sshd.

1c00535c2fd6314aba666132c49b62850387fa2e  openssl-0.9.6b-39.10.legacy.i386.rpm

- -Jim P.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDk63oCgSTzgd8+fwRAmbYAJsH+LsbvpKbBeg+WhwvbFOmvHuBeACgsjLf
CwT6pYMtF4Ugk0f9kaKrsww=
=gb4x
-----END PGP SIGNATURE-----
Comment 34 Pekka Savola 2005-12-13 00:48:59 EST
Timeout over.
Comment 35 Marc Deslauriers 2005-12-18 00:05:20 EST
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.