[Kolab-announce] Security Advisory 04 for Kolab Server (openssl)

Bernhard Herzog bh at intevation.de
Fri Oct 14 22:52:43 CEST 2005

Hash: SHA1

Kolab Security Issue 04 20051014

Package:              openssl
Vulnerability:        Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific:       no
Dependent Packages:   apache imapd openldap perl-ssl php postfix proftpd sasl

- -------

According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.

Affected Versions
- -----------------

OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl

- -----

Note: The fix described here is for Kolab server 2.0.1.  If you still
run an older version, please upgrade to 2.0.1 first.

Since SSLv2 can't be disabled via a configuration setting for all
services running on a Kolab server, the OpenSSL package has to be
updated and the dependent packages have to be rebuilt so that they use
the new OpenSSL version.

The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the
usual kolab mirrors under the directory security-updates/20051014/ .
While the mirrors are catching up, you can also get the files via rsync:
# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 .

If you have installed the Kolab server from sources, download the
directory security-updates/20051014/sources/

If you installed the ix86-debian3.0 binaries, download

Both directories contain the new OpenSSL package plus obmtool and
obmtool.conf like in a kolab release.  In addition, the ix86-debian3.0
directory contains updated binaries of the dependent packages.

In both cases, download all files in the appropriate directory, chdir
into the downloaded directory and run

  /kolab/bin/openpkg rc all stop
  ./obmtool kolab

This will install the new openssl package and rebuild/reinstall the
dependent packages.  Afterwards start the server again, making sure to
regenerate the config files as you would for a normal Kolab server

- -------

	OpenPKG Security Advisory OpenPKG-SA-2005.022

	OpenSSL Security Advisory on the vendor's site

	Common Vulnerabilities and Exposures (CVE): CAN-2005-2969

- --------
    20051011 OpenSSL vendor released patch and new versions containing the fix
    20051011 OpenPKG created new package containing the fix, not yet announced
    20051014 Kolab update and security advisory published

Version: GnuPG v1.4.1 (GNU/Linux)


More information about the announce mailing list