thomas: doc/www/src/security kolab-vendor-notice-04.txt,NONE,1.1

cvs at intevation.de cvs at intevation.de
Fri Oct 14 12:49:45 CEST 2005


Author: thomas

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv24023

Added Files:
	kolab-vendor-notice-04.txt 
Log Message:
Added kolab-vendor-notice-04.txt for openssl (draft).


--- NEW FILE: kolab-vendor-notice-04.txt ---
Kolab Security Issue 04 20051014
================================

Package:              openssl
Vulnerability:        Potential SSL 2.0 Rollback (CAN-2005-2969)
Kolab Specific:       no
Dependent Packages:   apache imapd openldap perl-ssl php postfix proftpd sasl


Summary
-------

According to a vendor security advisory, a potential SSL 2.0 protocol
rollback attack vulnerability exists in the cryptography toolkit OpenSSL.
The vulnerability potentially affects applications that use the SSL/TLS
server implementation provided by OpenSSL. Such applications are affected
if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using
neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected.
Also, applications that disable use of SSL 2.0 are not affected.


Affected Versions
-----------------

OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected.
Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected.
You can check the installed version with:
/kolab/bin/openpkg rpm -q openssl


Fixes
-----

Since SSLv2 can't be disabled via a configuration setting for all services
running on a Kolab server, the OpenSSL package has to be updated.

Install OpenPKG package openssl-0.9.7g-2.4.2:

A new OpenSSL RPM is available from the Kolab download mirrors as
security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm

A binary RPM for Debian woody (ix86) is available as
security-updates/20051014/openssl-0.9.7g-2.4.2.ix86-debian3.0-kolab.rpm

The mirrors are listed on http://kolab.org/mirrors.html

While the mirrors are catching up, you can also get the package via rsync:
# rsync -tzv rsync://rsync.kolab.org/kolab/server/security-updates/20051014/openssl-0.9.7g-2.4.2.src.rpm .


This package can be installed on your Kolab Server with

# /kolab/bin/openpkg rpm --rebuild openssl-0.9.7g-2.4.2.src.rpm
# /kolab/bin/openpkg rpm \
  -Uvh /kolab/RPM/PKG/openssl-0.9.7g-2.4.2.<ARCH>-<OS>-kolab.rpm

FIXME: recompile dependent packages, restart servers


Details
-------

http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html
	OpenPKG Security Advisory OpenPKG-SA-2005.022

http://www.openssl.org/news/secadv_20051011.txt
	OpenSSL Security Advisory on the vendor's site

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969
	Common Vulnerabilities and Exposures (CVE): CAN-2005-2969


Timeline
--------
    20051011 OpenSSL vendor released patch and new versions containing the fix
    20051011 OpenPKG created new package containing the fix, not yet announced
    20051014 Kolab update and security advisory published





More information about the commits mailing list