openSUSE Security July 2002

security@lists.opensuse.org

193 participants
223 discussions

RE: [suse-security] SuSE Security Announcement: openssl (SuSE-SA: 2002:027)
by Hemsley, Trevor 31 Jul '02

31 Jul '02

Is it intentional that the new mod_php4-3650 patch for Suse 7.1 includes mod_php4-roxen-4.0.4pl1-142? On previous updates the roxen part has been packaged separately...

1 0

Antwort: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
by marko.muncan.mm＠bayer-ag.de 31 Jul '02

31 Jul '02

Please correct me if i am wrong, but i thought OpenSSL is a Serverpackage which runs on Servers and SSL implemented in Webbrowser just snatch at this implementation?! Mit freundlichen Grüßen Marko Muncan arxes Network Communication Consulting AG Im Auftrag der BBS GmbH IM-CAS-CSE Tel.: +49 214/30-31000 E-Mail: marko.muncan.mm(a)bayer-ag.de Internet : http://www.bayer-ag.de |---------+---------------------------------------------------------------> | | | | | | | | | | | | | | | | | | | | suse-security-return-14937-marko.muncan.mm=bayer-ag.de(a)suse.c| | | om | | | Received : 31.07.2002 11:09 | | | | |---------+---------------------------------------------------------------> >---------------------------------------------------------------------------------------------------------| | | | | | An: suse-security(a)suse.com | | Kopie: | | Thema: Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027) | >---------------------------------------------------------------------------------------------------------| Hi, does anyone know if web browsers like Opera, Netscape etc. are vulnerable, too? What kind of ssl implementation do they use, openssl or. sth else? Thx! Best regards, Frank -- Dipl.-Inform. Frank Steiner mailto:fst@informatik.uni-kiel.de Lehrstuhl f. Programmiersprachen mailto:fsteiner@web.de CAU Kiel, Olshausenstraße 40 Phone: +49 431 880-7265, Fax: -7613 D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/ -- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

2 1

Re: [suse-security] SuSE Security Announcement: openssl (SuSE-SA:2002:027)
by Oliver Bleutgen 31 Jul '02

31 Jul '02

Quick question, on a 7.0 system, my apache has (stock suse, newest update) mod_ssl configured in, but seems not to use /usr/lib/libssl.so* /usr/lib/libcrypto.so* but instead /usr/lib/apache/libssl.so lisa:/home/bleutgen/software/suse_update/020731 # fuser -v /usr/lib/libssl.so* /usr/lib/libcrypto.so* lisa:/home/bleutgen/software/suse_update/020731 # but lisa:/home/bleutgen/software/suse_update/020731 # fuser -v /usr/lib/apache/libssl.so USER PID ACCESS COMMAND /usr/lib/apache/libssl.so root 27258 ....m httpd root 27259 ....m httpd root 27260 ....m httpd root 27261 ....m httpd root 27262 ....m httpd root 27265 ....m httpd and lisa:/home/bleutgen/software/suse_update/020731 # rpm -qf /usr/lib/apache/libssl.so mod_ssl-2.8.2-33 So, my question is, does updating openssl really upgrade mod_ssl? Probably I'm just confused. cheers, oliver

2 1

LDAP, TLS, SSL
by Mailinglist 30 Jul '02

30 Jul '02

Hallo Liste ! Ich bin gerade dabei mich in LDAP einzuarbeiten. Ziel dabei soll eine zentrale Userdatenbank sein, an der sowohl Windows- als auch Unix-Clients authenrifiziert werden sollen. LDAP laeuft soweit und die Authentifizierung klappt auch erstmal. Allerdings gibt es da ein Verstaendnisproblem bezueglich der Verschluesselung: 1. Die Verbindung Unix<->LDAP-Server wird durch TLS abgesichert, da die Clients den Server gegen ein CA-Certificate checken sind als auch Man-In-The-Middle-Attacken ausgeschlossen (neben dem normalen Mitlauschen). Wozu brauche ich dann SASL ? 2. Die Windows-Clients authentifierzieren sich gegen einen Samba-PDC. Welche Verfahren kommen hier zum Einsatz um Authentizitaet und Intigritaet sicherzustellen ? Habe bereits google gewaelzt, aber mehr als 100te howtos hab' ich leider nicht gefunden. Vielen Dank, Jens Braeuer

1 0

OpenSSL Security Altert - Remote Buffer Overflows
by Preston Kutzner 30 Jul '02

30 Jul '02

This is a forwarded message From: Ben Laurie <ben(a)algroup.co.uk> To: OpenSSL Announce <openssl-announce(a)openssl.org>, Bugtraq <BUGTRAQ(a)securityfocus.com>, Apache SSL Announce <apache-sslannounce(a)lists.aldigital.co.uk> Date: Tuesday, July 30, 2002, 4:58:19 AM Subject: OpenSSL Security Altert - Remote Buffer Overflows ===8<==============Original message text=============== OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 ========== A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --------------- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? ---------------- Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --------------- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -------------- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements ---------------- The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 ========== Vulnerabilities --------------- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? ---------------- Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --------------- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits -------- There are no known exploits for this vulnerability. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements ---------------- This vulnerability was discovered by Adi Stav <stav(a)mercury.co.il> and James Yonan <jim(a)ntlp.com> independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ===8<===========End of original message text=========== -- Best regards, Preston mailto:grdnwsl@mrichi.com

1 0

Re: [suse-security] SuSEfirewall2 , pptp, and port forwarding
by Robert Fenney 30 Jul '02

30 Jul '02

O.K., Sorry for this being so long but here is my problem. I am trying to get both pptpd and SuSEfirewall2 working on the same system. I have each working by them selves. I do have routing turned on between eth0 and eth1. Included are the configuration files for both SuSEfirewall2 and pptpd. I am getting the error: Cannot determine ethernet address for proxy ARP When I connect with the pptp session. But I do have a session. Then when I ping I get the error message: SuSE-FW-DROP-DEFAULT from the firewall rules dump it does look like I am not routing to eth1. Any ideas on how to fix this. I did read about scripting the device interface but it seems to me that I am missing somthing. Thanks for any help! Robert SuSEfirewall2 file: FW_DEV_EXT="eth0 ppp0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="1723 53 http https ssh" FW_SERVICES_EXT_UDP="53 500" FW_SERVICES_EXT_IP="gre 50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="1723" FW_SERVICES_INT_UDP="53 500" FW_SERVICES_INT_IP="gre 50 51" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.20.115,tcp,5631 0/0,192.168.20.udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" pptpd.conf: speed 115200 debug localip 192.168.20.236-245 remoteip 192.168.10.226-235 listen 10.0.1.254 pidfile /var/run/pptpd.pid options: name mars debug noauth +chap +chapms +chapms-v2 mppe-40 #mppe-128 mppe-stateless #require-chap proxyarp On Monday, July 29, 2002, at 12:46 AM, Manfred Larcher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Am Freitag, 26. Juli 2002 08:37 schrieb Robert Fenney: >> Thanks! I got that working right away. No if I could just get this pptp >> stuff working.... >> >> Robert > > You should explain what you mean with pptp stuff... > If you want to connect to an Alcatel ADSL Modem you have to insert the > "GRE" > protocol to your firewall rules, if you use SuSE Firewall2: > > # For VPN/Routing which END at the firewall!! > FW_SERVICES_INT_IP="gre" > > > cu > Manfred > - -- > > - ------------------------------------ > Pirlo Ges.m.b.H. & Co > Manfred Larcher > > Hugo Petter Str. 8-14 > A-6333 Kufstein > Tel. +43 5372 64923 65 oder 35 > Fax +43 5372 64923 61 > mailto:mlarcher@pirlo.com > http://www.pirlo.com > - ------------------------------------ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE9RPLo/ZrEMf+80q8RAlg9AJ4gZ0nqJ6E6MI1+96+5OAxY52qEpQCdEbuK > Npfe+e64zS+rdjTELMf7SPY= > =/jTR > -----END PGP SIGNATURE----- >

1 0

ACLs with SuSE 8.0 ???
by M. Neubert 29 Jul '02

29 Jul '02

hello list, I think this question is security related... Can I use acl's with SuSE 8.0? The file-utilities exist on my box but when I use setfacl this error occurs: "Operation not supported". Is a kernel patch required? Which filesystems supports acl's? Anybody could help me? Greetings Mario

5 5

Fwd: Re: [suse-security] apache and ssl module
by Christian Weickhmann 29 Jul '02

29 Jul '02

Hello Wouter (Whatever that means *???*) > I know i most make a server Certificated file. but i dont know how i most > make it. See /etc/sysconfig/apache 'cd /usr/share/doc/packages/mod_ssl; ./certificate.sh' as root. CU, Christian -- "Termiter's argument that God is His own grandmother generated a surprising amount of controversy among Church leaders, who on the one hand considered the argument unsupported by scripture but on the other hand were unwilling to risk offending God's grandmother." -- Len Cool, "American Pie"

1 0

apache and ssl module
by Wouter 29 Jul '02

29 Jul '02

Hi, I have upgrade suse 7.1 to 8.0 a few weeks ago, It works fine. But i have only one problem, If i try to install the ssl module for apache. When i have install mod_ssl and restart apache he says he starts good. But he dont start good. if i check then the error log file is see the follow (/var/log/httpd/error_log) Sun Jul 28 21:32:25 2002] [error] mod_ssl: Init: Unable to read server certificate from file /etc/httpd/ssl.crt/server.crt (OpenSSL library error follows) [Sun Jul 28 21:32:25 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence I know i most make a server Certificated file. but i dont know how i most make it. if i do this openssl req -noout -text -in server.csr i see the follow openssl x509 -noout -text -in server.crt I see unable to load certificate 4277:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE Can someone help me whit this problem ? Greets Wouter Groeten Wouter

2 1

Re: Antwort: [suse-security] AUTH SMTP with POSTFIX
by jja wikon 29 Jul '02

29 Jul '02

Hi, danke für der Antwort. 1)...da hast du recht mit Englisch. 2)...mit die access-table und Schutz durch "Restrictions" kann man einzelne Adressen, Nutzer oder Host für bestimmte Aktionen freizugeben oder zu blocken. 3)...der Mail-Server wird nur für den internen Gebrauch genutzt. 4)...die eMail's werden direkt an der Server geschickt (MX Eintrag beim Provider). 5)...jetzt muss er alle an unser Domain geschickte eMail's annehmen, weiter leiten darf er natürlich die eMail's, die von internen Adressen kommen. 6)...wir haben der eMailServer hinter Firewall "värschtekt", er prüft MAC-Adresse von interne Netz (Router), damit wollen wir die Fälschung von IP-Nummer vermeinden. Mit freundlichen Grüßen JJA > HI, > > 1) ... besseres englisch wäre schon angesagt ... hab mich ganz schön > abgequält ... > 2) ... ich würde postfix unter den TCPWRAPPER laufen lassen, so kannst > du schon mal steuern, wer auf den daemon zugreifen darf, und wer nicht ... > 3) ... wird der Mail-Server nur für den internen Gebrauch genutzt ? > wenn ja, denke ich benötigt man nicht unbedingt ne "authentication" ( > authetifizierung ) > 4) ... wie werden die eMail's "rein kommen" ? Werden diese mit > fetchmail vom Provider abgeholt, oder direkt an den Server ( über smtp ) > geschickt ( MX Eintrag beim Provider ) ? > 5) ... sollte sie über fetchmail abgeholt werden, muss ein cron-job > erstellt werden ... > 6) ... sichere ab, dass niemand an andere Domänen als an die interne > eMail's versenden darf, solange die Mail nicht von internen Adressen kommt > ... ( falls MX Eintrag beim Provider ) > 7) ... mit Authetifizierung und SMTP kenne ich mich leider "noch" nicht > so doll aus ... aber ich denke plain ist doch ok ( wenn's "nur" ne kleine > Firma sein soll ) > 8) ... mir fällt im moment nix mehr ein .. ist etwas früh ... bis denn > > Mit freundlichen Grüßen > Bruno Leonhardt > > CLP Domino R5 Systemadministrator > > ----------- > AnalyTek Systemhaus > Hospital Str. 2a > D-65589 Hadamar > > Besuchen Sie uns im Internet unter : http://www.analytek.de >

1 0

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security July 2002