[Kolab-announce] Security Advisory 04 for Kolab Server (openssl)
Bernhard Herzog
bh at intevation.de
Fri Oct 14 22:52:43 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 04 20051014
================================
Package: openssl
Vulnerability: Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific: no
Dependent Packages: apache imapd openldap perl-ssl php postfix proftpd sasl
Summary
- -------
According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.
Affected Versions
- -----------------
OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl
Fixes
- -----
Note: The fix described here is for Kolab server 2.0.1. If you still
run an older version, please upgrade to 2.0.1 first.
Since SSLv2 can't be disabled via a configuration setting for all
services running on a Kolab server, the OpenSSL package has to be
updated and the dependent packages have to be rebuilt so that they use
the new OpenSSL version.
The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the
usual kolab mirrors under the directory security-updates/20051014/ .
While the mirrors are catching up, you can also get the files via rsync:
# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 .
If you have installed the Kolab server from sources, download the
directory security-updates/20051014/sources/
If you installed the ix86-debian3.0 binaries, download
security-updates/20051014/ix86-debian3.0/
Both directories contain the new OpenSSL package plus obmtool and
obmtool.conf like in a kolab release. In addition, the ix86-debian3.0
directory contains updated binaries of the dependent packages.
In both cases, download all files in the appropriate directory, chdir
into the downloaded directory and run
/kolab/bin/openpkg rc all stop
./obmtool kolab
This will install the new openssl package and rebuild/reinstall the
dependent packages. Afterwards start the server again, making sure to
regenerate the config files as you would for a normal Kolab server
update.
Details
- -------
http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html
OpenPKG Security Advisory OpenPKG-SA-2005.022
http://www.openssl.org/news/secadv_20051011.txt
OpenSSL Security Advisory on the vendor's site
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
Common Vulnerabilities and Exposures (CVE): CAN-2005-2969
Timeline
- --------
20051011 OpenSSL vendor released patch and new versions containing the fix
20051011 OpenPKG created new package containing the fix, not yet announced
20051014 Kolab update and security advisory published
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDUBdo0vCiU5+ISsgRApj4AKDIZhknDia/OrolG4yUGaC3JZwRWQCfXbyw
b6sFUXJ80PKVQkgbLbQDSNo=
=ff+w
-----END PGP SIGNATURE-----
More information about the announce
mailing list