Bug 74094 - OpenSSL bounds checking problem
OpenSSL bounds checking problem
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-09-15 16:30 EDT by Need Real Name
Modified: 2007-03-26 23:57 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-09-15 16:30:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-09-15 16:30:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020607

Description of problem:
There exists a buffer overflow bug in all versions of OpenSSL < 0.9.6e which
affects (among other things) Apache server using mod_ssl.  For details, please
see the URL http://online.securityfocus.com/bid/5363 which describes the problem
in more detail than I could...

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. N/A

Actual Results:  N/A

Expected Results:  N/A

Additional info:

I realize that a large part of the problem is that the OpenSSL team keeps
breaking binary compatibility without updating the version number (besides a
silly letter at the end), but you guys aren't really doing a very good job of
keeping up with OpenSSL updates, and now we have a serious problem.

Because you have decided to work around the version problem by bumping up the
version number on the shared library, it is now also virtually impossible for
administrators to update OpenSSL on our own without having to recompile a whole
bunch of other programs.  You have created a fictional shared library which is
incompatible with the way the rest of the world manages dependencies upon
OpenSSL, which is and should be still at libcrypto.0, et. al.

This problem manifests itself in other ways, too; i.e. Apache 2.0 depends upon
OpenSSL 0.9.6e or greater, so it's a great deal of work to get it working on Red
Hat, for the same reasons as above.

I understand (at least partially) the difficulties, but I really think you need
to find a better way to work around the versioning issues.  Though actually, if
you have a document somewhere that addresses the problem in detail, especially
if it has a sensible work-around to these problems, I'd certainly like to know
about that.

Comment 1 Mark J. Cox 2002-09-17 05:37:00 EDT
We fixed the OpenSSL vulnerabilities by backporting the security fixes, see

http://rhn.redhat.com/errata/RHSA-2002-155.html and

> Apache 2.0 depends upon OpenSSL 0.9.6e or greater

This was actually a mistake by the Apache group made in a commit at the last
minute of a release without the consequences being thought through.  The next
Apache 2.0 release simply warns about the OpenSSL version number.

Note You need to log in before you can comment on or make changes to this bug.