Subject: NetBSD Security Advisory 2004-005: Denial of service vulnerabilities in OpenSSL
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 04/21/2004 14:13:52
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2004-005
		 =================================

Topic:		Denial of service vulnerabilities in OpenSSL

Version:	NetBSD-current:	source prior to March 22, 2004
		NetBSD 2.0:	branch unaffected, release will include the fix
		NetBSD 1.6.2:	affected
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD 1.5.3:	affected
		NetBSD 1.5.2:	affected
		NetBSD 1.5.1:	affected
		NetBSD 1.5:	affected
		pkgsrc:		security/openssl packages prior to 0.9.6m

Severity:	Possible denial of service, depending on the application

Fixed:		NetBSD-current:		March 22, 2004
		NetBSD-1.6 branch:	April  2, 2004
					(1.6.3 will include the fix)
		NetBSD-1.5 branch:	April  7, 2004
		pkgsrc:			openssl-0.9.6m corrects this issue


Abstract
========

There are two distinct denial of service vulnerabilities addressed by this
advisory:

	1. Null-pointer assignment during SSL handshake

	A carefully crafted SSL/TLS handshake against a server which
	uses the OpenSSL library may result in a crash.  Depending on how
	the application uses the OpenSSL library, this may result in a
	denial of service.


	2. Out-of-bounds read affects Kerberos ciphersuites

	A second flaw in the SSL/TLS handshake could cause a server
	configured to use the Kerberos ciphersuites to crash if a carefully
	crafted sequence of packets is sent by an attacker.



Solutions and Workarounds
=========================

The following instructions describe how to upgrade your libcrypto and libssl
libraries by updating your source tree and rebuilding and
installing a new versions.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2004-03-22
	should be upgraded to NetBSD-current dated 2004-03-23 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl
		# cd src
		# cvs update -d -P crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6, 1.6.1, 1.6.2:

	The binary distribution of NetBSD 1.6, 1.6.1 and 1.6.2 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before
	2004-04-02 should be upgraded from NetBSD 1.6 sources dated
	2004-04-03 or later.

	NetBSD 1.6.3 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2004-04-07 should be upgraded from NetBSD 1.5.*
	sources dated 2004-04-08 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl

		# make cleandir dependall
		# make install

Revision History
================

	2004-04-21	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-005.txt,v 1.3 2004/04/21 17:34:50 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQIax0z5Ru2/4N2IFAQHjFwP7B6JP4OrQsPrCgSYkUxpuw4oQ0n9kOB7J
rEM+aA9/9nrtbc95vuFhjaiahUop91I9oPxNkKjoflaqNyrtGM18U+um5iCv/cJV
0aBih+cyv7hWylcxrTwZ35QuxpFOz253mpCPpKDk4YC8zDjvQDDOoCIz+854WdDe
5MM5tkgTqPU=
=gjxz
-----END PGP SIGNATURE-----