Subject: NetBSD Security Advisory 2004-003: OpenSSL 0.9.6 ASN.1 parser vulnerability
To: None <tech-security@NetBSD.org, current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 02/19/2004 08:36:46
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2004-003
		 =================================

Topic:		OpenSSL 0.9.6 ASN.1 parser vulnerability

Version:	NetBSD-current:	sources prior to 2003/07/24
		NetBSD 1.6.1:	affected
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		packages prior to (including) 0.9.6k

Severity:	possible remote denial-of-service

Fixed:		NetBSD-current:		July 24, 2003
		NetBSD-1.6 branch:	November 8, 2003 (1.6.2 will include the fix)
		NetBSD-1.5 branch:	November 7, 2003
		pkgsrc:			openssl-0.9.6l corrects this issue


Abstract
========

OpenSSL 0.9.6k ASN.1 parser had a possible denial-of-service
vulnerability.

This vulnerability is different from 2003-017.

OpenSSL 0.9.7 is not affected.


Technical Details
=================

http://www.kb.cert.org/vuls/id/412478

http://www.openssl.org/news/secadv_20031104.txt


Solutions and Workarounds
=========================

Release of NetBSD 1.6.2 is imminent. This is a reminder
to consider upgrading when they are available, if you are running
anything older than NetBSD 1.6  Many security-related improvements
have been made.

NetBSD 1.6.2 may be considered a binary patch for this advisory.

* Rebuilding from source:

libcrypto and libssl have to be rebuilt.

The following instructions describe how to upgrade your libcrypto and
libssl binaries by updating your source tree and rebuilding and
installing a new version of libcrypto and libssl.

* NetBSD-current:

	NetBSD-current has included the OpenSSL 0.9.7 series since July 24,
	2003, therefore upgrading to sources after July 24, 2003 is required.


* NetBSD 1.6, 1.6.1:

	The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable.

	Systems running NetBSD 1.6 sources dated from before
	2003-11-07 should be upgraded from NetBSD 1.6 sources dated
	2003-11-08 or later.

	NetBSD 1.6.2 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl:

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		# make cleandir dependall
		# make install

* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5 to 1.5.3 are vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2003-11-06 should be upgraded from NetBSD 1.5.*
	sources dated 2003-11-07 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/openssl

	To update from CVS, re-build, and re-install libcrypto and libssl:

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/openssl

		# cd lib/libcrypto
		# make cleandir dependall
		# make install
		# cd ../../lib/libssl
		# make cleandir dependall
		# make install


Thanks To
=========

Dr Stephen Henson


Revision History
================

	2004-02-18	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-003.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2004, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2004-003.txt.asc,v 1.3 2004/02/19 02:19:40 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iQCVAwUBQDQeIT5Ru2/4N2IFAQFeCQP8Cr1sGqZ/FNuhpF4PDtJKIBoeOXcYsBfQ
7P0Egqv++IrrpgUZTmGrBC/OEGJ0Rn4L6psZBaw/s+xZ9H4Im0q8EWwqttKNkbaI
Nt+AEidrHy0rZyKjmrFORu14y4yaxIX/xGX/8vtKekrH/C/TY52Ke43OpxBris+d
h2dIfjWUaKU=
=yyjs
-----END PGP SIGNATURE-----