thomas: doc/www/src/security kolab-vendor-notice-04.txt,NONE,1.1
cvs at intevation.de
cvs at intevation.de
Fri Oct 14 12:49:45 CEST 2005
Author: thomas
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv24023
Added Files:
kolab-vendor-notice-04.txt
Log Message:
Added kolab-vendor-notice-04.txt for openssl (draft).
--- NEW FILE: kolab-vendor-notice-04.txt ---
Kolab Security Issue 04 20051014
================================
Package: openssl
Vulnerability: Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific: no
Dependent Packages: apache imapd openldap perl-ssl php postfix proftpd sasl
Summary
-------
According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.
Affected Versions
-----------------
OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl
Fixes
-----
Since SSLv2 can't be disabled via a configuration setting for all services
running on a Kolab server, the OpenSSL package has to be updated.
Install OpenPKG package openssl-0.9.7g-2.4.2:
A new OpenSSL RPM is available from the Kolab download mirrors as
security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm
A binary RPM for Debian woody (ix86) is available as
security-updates/20051014/openssl-0.9.7g-2.4.2.ix86-debian3.0-kolab.rpm
The mirrors are listed on http://kolab.org/mirrors.html
While the mirrors are catching up, you can also get the package via rsync:
# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm .
This package can be installed on your Kolab Server with
# /kolab/bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm
# /kolab/bin/openpkg rpm \
-Uvh /kolab/RPM/PKG/openssl-0.9.7g-2.4.2.<ARCH>-<OS>-kolab.rpm
FIXME: recompile dependent packages, restart servers
Details
-------
http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html
OpenPKG Security Advisory OpenPKG-SA-2005.022
http://www.openssl.org/news/secadv_20051011.txt
OpenSSL Security Advisory on the vendor's site
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
Common Vulnerabilities and Exposures (CVE): CAN-2005-2969
Timeline
--------
20051011 OpenSSL vendor released patch and new versions containing the fix
20051011 OpenPKG created new package containing the fix, not yet announced
20051014 Kolab update and security advisory published
More information about the commits
mailing list