[Kolab-announce] Security Advisory 04 for Kolab Server (openssl)
bh at intevation.de
Fri Oct 14 22:52:43 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Kolab Security Issue 04 20051014
Vulnerability: Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific: no
Dependent Packages: apache imapd openldap perl-ssl php postfix proftpd sasl
According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.
OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl
Note: The fix described here is for Kolab server 2.0.1. If you still
run an older version, please upgrade to 2.0.1 first.
Since SSLv2 can't be disabled via a configuration setting for all
services running on a Kolab server, the OpenSSL package has to be
updated and the dependent packages have to be rebuilt so that they use
the new OpenSSL version.
The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the
usual kolab mirrors under the directory security-updates/20051014/ .
While the mirrors are catching up, you can also get the files via rsync:
# rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 .
If you have installed the Kolab server from sources, download the
If you installed the ix86-debian3.0 binaries, download
Both directories contain the new OpenSSL package plus obmtool and
obmtool.conf like in a kolab release. In addition, the ix86-debian3.0
directory contains updated binaries of the dependent packages.
In both cases, download all files in the appropriate directory, chdir
into the downloaded directory and run
/kolab/bin/openpkg rc all stop
This will install the new openssl package and rebuild/reinstall the
dependent packages. Afterwards start the server again, making sure to
regenerate the config files as you would for a normal Kolab server
OpenPKG Security Advisory OpenPKG-SA-2005.022
OpenSSL Security Advisory on the vendor's site
Common Vulnerabilities and Exposures (CVE): CAN-2005-2969
20051011 OpenSSL vendor released patch and new versions containing the fix
20051011 OpenPKG created new package containing the fix, not yet announced
20051014 Kolab update and security advisory published
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the announce