thomas: doc/www/src/security kolab-vendor-notice-04.txt,NONE,1.1

cvs at cvs at
Fri Oct 14 12:49:45 CEST 2005

Author: thomas

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv24023

Added Files:
Log Message:
Added kolab-vendor-notice-04.txt for openssl (draft).

--- NEW FILE: kolab-vendor-notice-04.txt ---
Kolab Security Issue 04 20051014

Package:              openssl
Vulnerability:        Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific:       no
Dependent Packages:   apache imapd openldap perl-ssl php postfix proftpd sasl


According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.

Affected Versions

OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl


Since SSLv2 can't be disabled via a configuration setting for all services
running on a Kolab server, the OpenSSL package has to be updated.

Install OpenPKG package openssl-0.9.7g-2.4.2:

A new OpenSSL RPM is available from the Kolab download mirrors as

A binary RPM for Debian woody (ix86) is available as

The mirrors are listed on

While the mirrors are catching up, you can also get the package via rsync:
# rsync -tzv rsync:// .

This package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/openssl-0.9.7g-2.4.2.<ARCH>-<OS>-kolab.rpm

FIXME: recompile dependent packages, restart servers

	OpenPKG Security Advisory OpenPKG-SA-2005.022
	OpenSSL Security Advisory on the vendor's site
	Common Vulnerabilities and Exposures (CVE): CAN-2005-2969

    20051011 OpenSSL vendor released patch and new versions containing the fix
    20051011 OpenPKG created new package containing the fix, not yet announced
    20051014 Kolab update and security advisory published

More information about the commits mailing list