-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2004-005 ================================= Topic: Denial of service vulnerabilities in OpenSSL Version: NetBSD-current: source prior to March 22, 2004 NetBSD 2.0: branch unaffected, release will include the fix NetBSD 1.6.2: affected NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD 1.5.3: affected NetBSD 1.5.2: affected NetBSD 1.5.1: affected NetBSD 1.5: affected pkgsrc: security/openssl packages prior to 0.9.6m Severity: Possible denial of service, depending on the application Fixed: NetBSD-current: March 22, 2004 NetBSD-1.6 branch: April 2, 2004 (1.6.3 will include the fix) NetBSD-1.5 branch: April 7, 2004 pkgsrc: openssl-0.9.6m corrects this issue Abstract ======== There are two distinct denial of service vulnerabilities addressed by this advisory: 1. Null-pointer assignment during SSL handshake A carefully crafted SSL/TLS handshake against a server which uses the OpenSSL library may result in a crash. Depending on how the application uses the OpenSSL library, this may result in a denial of service. 2. Out-of-bounds read affects Kerberos ciphersuites A second flaw in the SSL/TLS handshake could cause a server configured to use the Kerberos ciphersuites to crash if a carefully crafted sequence of packets is sent by an attacker. Solutions and Workarounds ========================= The following instructions describe how to upgrade your libcrypto and libssl libraries by updating your source tree and rebuilding and installing a new versions. * NetBSD-current: Systems running NetBSD-current dated from before 2004-03-22 should be upgraded to NetBSD-current dated 2004-03-23 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/openssl To update from CVS, re-build, and re-install libcrypto and libssl # cd src # cvs update -d -P crypto/dist/openssl # cd lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../lib/libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.6, 1.6.1, 1.6.2: The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable. Systems running NetBSD 1.6 sources dated from before 2004-04-02 should be upgraded from NetBSD 1.6 sources dated 2004-04-03 or later. NetBSD 1.6.3 will include the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: crypto/dist/openssl To update from CVS, re-build, and re-install libcrypto and libssl # cd src # cvs update -d -P -r netbsd-1-6 crypto/dist/openssl # cd lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install # cd ../../lib/libssl # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable. Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated from before 2004-04-07 should be upgraded from NetBSD 1.5.* sources dated 2004-04-08 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: crypto/dist/openssl To update from CVS, re-build, and re-install libcrypto and libssl # cd src # cvs update -d -P -r netbsd-1-5 crypto/dist/openssl # cd lib/libcrypto # make cleandir dependall # make install # cd ../../lib/libssl # make cleandir dependall # make install Revision History ================ 2004-04-21 Initial release 2004-04-25 Note USETOOLS=no in libcrypto for 1-6 2004-06-10 Cleanup 1-6 instructions, noted by abs. More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2004-005.txt,v 1.5 2004/06/10 14:12:09 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (NetBSD) iQCVAwUBQMhsrD5Ru2/4N2IFAQHyCwQAlsRLlcKRuxY3XNcMyBGDuZuuliVmIjVV T/we6UNMOo58e7F0zXHJMo3lsY7YL2kkdpiSCWcjgu3YWt/nF72M9hFj/iwmrGqE eTwtIrhoUzml9qsGvpdZ0fsjHnpge69TU8VZMAHMPCxfmf7y3qaHKfAX2xSPT+sq McVv5ga0XV0= =smeC -----END PGP SIGNATURE-----