Mailing-List: contact cygwin-announce-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-announce-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-announce/>
List-Post: <mailto:cygwin-announce AT cygwin DOT com>
List-Help: <mailto:cygwin-announce-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-announce-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-announce AT cygwin DOT com
Delivered-To: moderator for cygwin-announce AT cygwin DOT com
Date: Tue, 30 Jul 2002 18:03:40 +0200
From: Corinna Vinschen <vinschen AT redhat DOT com>
To: cygann <cygwin-announce AT cygwin DOT com>
Subject: Updated: openssl-0.9.6e-1
Message-ID: <20020730180340.A2193@cygbert.vinschen.de>
Reply-To: cygwin <cygwin AT cygwin DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.3.22.1i

I've updated the version of OpenSSL to 0.9.6e-1.

This is a official security update.  The security advisory has been
send out today.  Note that I'm sending this to keep you informed as
soon as possible.  The new version is probably not immediately available
on the mirrors.  Stay calm.

The official announcement follows:

=========================================================================

  OpenSSL version 0.9.6e released
  ===============================

  OpenSSL - The Open Source toolkit for SSL/TLS
  http://www.openssl.org/

  The OpenSSL project team is pleased to announce the release of version
  0.9.6e of our open source toolkit for SSL/TLS.  This new OpenSSL version
  is a security and bugfix release and incorporates several changes to the
  toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).

  The most significant changes are:

      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.

  We consider OpenSSL 0.9.6e to be the best version of OpenSSL available
  and we strongly recommend that users of older versions upgrade as
  soon as possible.  OpenSSL 0.9.6e is available for download via HTTP
  and FTP from the following master locations (you can find the various
  FTP mirrors under http://www.openssl.org/source/mirror.html):

    o http://www.openssl.org/source/
    o ftp://ftp.openssl.org/source/

  [1] OpenSSL comes in the form of two distributions this time.
  The reasons for this is that we want to deploy the external crypto device
  support but don't want to have it part of the "normal" distribution just
  yet.  The distribution containing the external crypto device support is
  popularly called "engine", and is considered experimental.  It's been
  fairly well tested on Unix and flavors thereof.  If run on a system with
  no external crypto device, it will work just like the "normal" distribution.

  The distribution file names are:

      o openssl-0.9.6e.tar.gz [normal]
      o openssl-engine-0.9.6e.tar.gz [engine]

  Yours,
  The OpenSSL Project Team...

    Mark J. Cox             Ben Laurie          Andy Polyakoff
    Ralf S. Engelschall     Richard Levitte     Geoff Thorpe
    Dr. Stephen Henson      Bodo Möller
    Lutz Jänicke            Ulf Möller

=========================================================================

The official security advisory follows:

=========================================================================

OpenSSL Security Advisory [30 July 2002]

This advisory consists of two independent advisories, merged, and is
an official OpenSSL advisory.

Advisory 1
==========

A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are
conducting a security review of OpenSSL, under the DARPA program   
CHATS.

Vulnerabilities
---------------

All four of these are potentially remotely exploitable.

1. The client master key in SSL2 could be oversized and overrun a
    buffer. This vulnerability was also independently discovered by
    consultants at Neohapsis (http://www.neohapsis.com/) who have also
    demonstrated that the vulerability is exploitable. Exploit code is
    NOT available at this time.

2. The session ID supplied to a client in SSL3 could be oversized and
    overrun a buffer.

3. The master key supplied to an SSL3 server could be oversized and
    overrun a stack-based buffer. This issues only affects OpenSSL
    0.9.7 before 0.9.7-beta3 with Kerberos enabled.

4. Various buffers for ASCII representations of integers were too
    small on 64 bit platforms.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue
3, and CAN-2002-0655 to issue 4.

In addition various potential buffer overflows not known to be
exploitable have had assertions added to defend against them.

Who is affected?
----------------

Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or
current development snapshots of 0.9.7 to provide SSL or TLS is
vulnerable, whether client or server. 0.9.6d servers on 32-bit systems
with SSL 2.0 disabled are not vulnerable.

SSLeay is probably also affected.

Recommendations
---------------

Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL
0.9.6e. Recompile all applications using OpenSSL to provide SSL or
TLS.

A patch for 0.9.7 is available from the OpenSSL website
(http://www.openssl.org/).

Servers can disable SSL2, alternatively disable all applications using
SSL or TLS until the patches are applied. Users of 0.9.7 pre-release
versions with Kerberos enabled will also have to disable Kerberos. 

Client should be disabled altogether until the patches are applied.   

Known Exploits
--------------

There are no know exploits available for these vulnerabilities. As
noted above, Neohapsis have demonstrated internally that an exploit is
possible, but have not released the exploit code.

References
----------

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657

Acknowledgements
----------------

The project leading to this advisory is sponsored by the Defense
Advanced Research Projects Agency (DARPA) and Air Force Research
Laboratory, Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.

The patch and advisory were prepared by Ben Laurie.



Advisory 2
==========

Vulnerabilities
---------------

The ASN1 parser can be confused by supplying it with certain invalid
encodings.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0659 to this issue.

Who is affected?
----------------

Any OpenSSL program which uses the ASN1 library to parse untrusted
data. This includes all SSL or TLS applications, those using S/MIME   
(PKCS#7) or certificate generation routines.

Recommendations
---------------

Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile   
all applications using OpenSSL.

Users of 0.9.7 pre-release versions should apply the patch or upgrade
to 0.9.7-beta3 or later. Recompile all applications using OpenSSL.

Exploits
--------

There are no known exploits for this vulnerability.

References
----------

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659

Acknowledgements
----------------

This vulnerability was discovered by Adi Stav <stav AT mercury DOT co DOT il>
and James Yonan <jim AT ntlp DOT com> independently. The patch is partly
based on a version by Adi Stav.

The patch and advisory were prepared by Dr. Stephen Henson.




Combined patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt

Combined patches for OpenSSL 0.9.7 beta 2:
http://www.openssl.org/news/patch_20020730_0_9_7.txt

URL for this Security Advisory:
http://www.openssl.org/news/secadv_20020730.txt

=========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://sources.redhat.com/cygwin web page.  This downloads setup.exe
to your system.  The, run setup and answer all of the questions.

Note that we do not allow downloads from sources.redhat.com (aka
cygwin.com) due to bandwidth limitations.  This means that you will need
to find a mirror which has this update.

In the US, ftp://mirrors.rcn.net/mirrors/sources.redhat.com/cygwin/ is a
reliable high bandwidth connection.

In Germany,
ftp://ftp.uni-erlangen.de/pub/pc/gnuwin32/cygwin/mirrors/cygnus/ is
usually pretty good.

In the UK,
http://programming.ccp14.ac.uk/ftp-mirror/programming/cygwin/pub/cygwin/
is usually up-to-date within 48 hours.

If one of the above doesn't have the latest version of this package then
you can either wait for the site to be updated or find another mirror.

If you have questions or comments, please send them to the Cygwin
mailing list at:  cygwin AT sources DOT redhat DOT com .  I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
in general.

If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.