-------------------------------------------------------------------------- Turbolinux Security Advisory TLSA-2002-46 http://www/turbolinux.co.jp/security/ security-team@turbolinux.co.jp -------------------------------------------------------------------------- Openssl With buffer overflow, the local user captures authority Release date : 2002-08-02 Solution: package : openssl-0.9.6e-1 openssh-3.4p1-7 kdelibs-2.2.2-9 arts-2.2.2-9 apache-1.3.26-5 mod_ssl-2.8.10-5 Problem * Buffer overflow problem exists in the client master key of the SSL2. * Buffer overflow problem exists in the session ID which is issued in the client in the SSL3. Solution: Please verify version and execute the command below. # rpm -qa | grep package name When problem corresponds, please download the update package. Do the update by the using the command below. Furthermore, please execute the package number which corresponds to your version number. Without starting a new paragraph, please enter the "\ " Bunchu sign. Execution example --------------------------------------------------------------------- # rpm -Fvh Package-1.0.0-1.i586.rpm \ Package-doc-1.0.0-1.i586.rpm \ Package-devel-1.0.0-1.i586.rpm The case where rpm command is executed, please enter as follows on the command line. # rpm -Fvh package-1.0.0-1.i586.rpm package-doc-1.0.0-1.i586.rpm package-devel-1.0.0-1.i586.rpm --------------------------------------------------------------------- < Turbolinux 8 Workstation > # rpm -Fvh openssl-0.9.6e-1.i586.rpm \ openssl-devel-0.9.6e-1.i586.rpm \ openssh-3.4p1-7.i586.rpm \ openssh-askpass-3.4p1-7.i586.rpm \ openssh-clients-3.4p1-7.i586.rpm \ openssh-server-3.4p1-7.i586.rpm \ kdelibs-2.2.2-9.i586.rpm \ kdelibs-devel-2.2.2-9.i586.rpm \ arts-2.2.2-9.i586.rpm \ arts-devel-2.2.2-9.i586.rpm \ apache-1.3.26-5.i586.rpm \ apache-devel-1.3.26-5.i586.rpm \ apache-manual-1.3.26-5.i586.rpm \ mod_ssl-2.8.10-5.i586.rpm < Turbolinux 7 Server > < Turbolinux 7 Workstation > # rpm -Fvh openssl-0.9.6e-1.i586.rpm \ openssl-devel-0.9.6e-1.i586.rpm \ openssh-3.4p1-7.i586.rpm \ openssh-askpass-3.4p1-7.i586.rpm \ openssh-clients-3.4p1-7.i586.rpm \ openssh-server-3.4p1-7.i586.rpm \ kdelibs-2.2.1-7.i586.rpm \ kdelibs-devel-2.2.1-7.i586.rpm \ arts-2.2.1-7.i586.rpm \ arts-devel-2.2.1-7.i586.rpm \ apache-1.3.26-5.i586.rpm \ apache-devel-1.3.26-5.i586.rpm \ apache-manual-1.3.26-5.i586.rpm \ mod_ssl-2.8.10-5.i586.rpm < Turbolinux Server 6.5 > # rpm -Fvh openssl-0.9.6e-1.i386.rpm \ openssl-devel-0.9.6e-1.i386.rpm \ openssh-3.4p1-7.i386.rpm \ openssh-askpass-3.4p1-7.i386.rpm \ openssh-clients-3.4p1-7.i386.rpm \ openssh-server-3.4p1-7.i386.rpm \ apache-1.3.26-5.i386.rpm \ apache-devel-1.3.26-5.i386.rpm \ apache-manual-1.3.26-5.i386.rpm \ mod_ssl-2.8.10-5.i386.rpm < Turbolinux Advanced Server 6 > # rpm -Fvh openssl-0.9.6e-1.i386.rpm \ openssl-devel-0.9.6e-1.i386.rpm \ openssh-3.4p1-7.i386.rpm \ openssh-askpass-3.4p1-7.i386.rpm \ openssh-askpass-gnome-3.4p1-7.i386.rpm \ openssh-clients-3.4p1-7.i386.rpm \ openssh-server-3.4p1-7.i386.rpm \ apache-1.3.26-5.i386.rpm \ apache-devel-1.3.26-5.i386.rpm \ apache-manual-1.3.26-5.i386.rpm \ (correction 2002/08/21) apache-1.3.23-9.i386.rpm \ apache-devel-1.3.23-9.i386.rpm \ apache-manual-1.3.23-9.i386.rpm \ mod_ssl-2.8.10-5.i386.rpm < Turbolinux Server 6.1 > # rpm -Fvh openssl-0.9.6e-1.i386.rpm \ openssl-devel-0.9.6e-1.i386.rpm \ openssh-3.4p1-7.i386.rpm \ openssh-askpass-gnome-3.4p1-7.i386.rpm \ openssh-clients-3.4p1-7.i386.rpm \ openssh-server-3.4p1-7.i386.rpm \ apache-1.3.23-8.i386.rpm \ apache-devel-1.3.23-8.i386.rpm \ apache-manual-1.3.23-8.i386.rpm \ mod_ssl-2.8.7-8.i386.rpm < Turbolinux Workstation 6.0 > # rpm -Fvh openssl-0.9.6e-1.i386.rpm \ openssl-devel-0.9.6e-1.i386.rpm \ openssh-3.4p1-7.i386.rpm \ openssh-askpass-3.4p1-7.i386.rpm \ openssh-askpass-gnome-3.4p1-7.i386.rpm \ openssh-clients-3.4p1-7.i386.rpm \ openssh-server-3.4p1-7.i386.rpm Package updates: http://www.turbolinux.co.jp/update/