Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] SuSE Security Announcement: Slapper worm (SuSE-SA:2002:033)
  • From: Ceyx@xxxxxxx
  • Date: Fri, 20 Sep 2002 09:23:04 +0200
  • Message-id: <200209200921.24228.Alexander.Grujic@xxxxxxxxxxxxxxxxxxx>
Hi List

The signature on the announcment Slapper worm (SuSE-SA:2002:033) is bad
according to gpg ... has the suse key changed?

Thanks,

Alex.


On Thursday 19 September 2002 20:48, Olaf Kirch wrote:
> ___________________________________________________________________________
>___
>
> SuSE Security Announcement
>
> Package: openssl/Slapper worm
> Announcement-ID: SuSE-SA:2002:033
> Date: Thu Sep 19 2002
> Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
> SuSE Linux Database Server,
> SuSE eMail Server III,
> SuSE eMail Server 3.1,
> SuSE Linux Enterprise Server,
> SuSE Linux Firewall on CD,
> SuSE Linux Enterprise Server 7
> SuSE Linux Office Server
> Vulnerability Type: buffer overflow
> Severity (1-10): 9
> SuSE default package: yes
> Cross References: CVE CAN-2002-0655, CAN-2002-0656,
> CAN-2002-0659, CERT CA 2002-23,
> SuSE-SA:2002:027
>
> Content of this advisory:
> 1) vulnerabilities in openssl libraries; Slapper worm
> 2) pending vulnerabilities, solutions, workarounds
> 3) standard appendix (further information)
>
> ___________________________________________________________________________
>___
>
> 1) problem description, brief discussion, solution, upgrade information
>
> This advisory is issued in an attempt to clarify any issues
> surrounding the recently discovered Apache/mod_ssl worm.
>
> On July 30, we released a security advisory concerning vulnerabilities
> in OpenSSL, including a buffer overflow in the SSL code. This
> vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory
> http://www.cert.org/advisories/CA-2002-23.html) is currently being
> exploited by a worm called Slapper, propagating through Apache's
> mod_ssl module.
>
> It is worth noting that even though the worm infects Apache through
> mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
> the OpenSSL library used by mod_ssl.
>
> This also means that Apache may not be the only service vulnerable
> to an attack via the SSL bug. Similar exploits may be possible
> against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
> services.
>
> As a workaround, it is also possible to disable SSLv2 in mod_ssl
> (as described in our previous advisory SuSE-SA:2002:027;
> http://www.suse.com/de/security/2002_027_openssl.html), but you
> should be aware that this does not protect other SSL based servers
> that may be running on your machine.
>
>
> We have received numerous inquiries from SuSE users on whether the
> update packages provided by SuSE as part of SA:2002:027 fix this bug
> even though they do not contain the latest OpenSSL version recommended
> in various advisories.
>
> To clarify this, we would like to state that these packages DO FIX
> the bug exploited by the Slapper worm. Following established policy,
> we did this by applying a source code patch instead of upgrading to
> a newer version, because the latter usually causes serious problems
> for many users (in particular, different versions of OpenSSL libraries
> are not always API compatible).
>
>
> However, it turns out that a number of packages were statically
> linked against OpenSSL libraries:
>
> mod_ssl (SuSE Linux 7.0):
> We have released rebuilt mod_ssl packages linked against the
> most recent OpenSSL libraries.
>
> If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl,
> too.
>
> sendmail-tls (SuSE Linux 7.1, 7.2, 7.3):
> Sendmail-tls, the SSL enabled version of sendmail, was linked
> statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security
> impact of this problem is probably the same as with Apache and
> mod_ssl.
>
> We are releasing rebuilt packages linked against the most
> OpenSSL libraries.
>
> Sendmail-tls is not part of the default installation profile.
>
> If you are using sendmail-tls, we strongly recommend you upgrade
> to the latest packages provided on our FTP servers.
>
> openssh (SuSE Linux 7.1, 7.2 and 7.3):
> Ssh and sshd do not use any SSL functionality, and thus are not
> susceptible to the type of attack carried out by the Slapper worm.
>
> To date, we are not aware of any way to exploit them. We nevertheless
> recommend to upgrade to the latest versions provided on our FTP site.
>
> freeswan (SuSE Linux 7.1, 7.2):
> FreeSWAN includes a utility named fswcert for creating and
> manipulating X.509 certificates, which is also linked statically
> against libcrypto.
>
> To date, we are not aware of any way to exploit them. We
> nevertheless recommend to upgrade to the latest versions provided
> on our FTP site as soon as they become available (2002 Sep 20).
>
> ___________________________________________________________________________
>___
>
> 2) Pending vulnerabilities in SuSE Distributions and Workarounds:
>
> mod_php4:
> we are preparing an update of mod_php4 addressing various
> vulnerabilities that have been published recently.
>
> ___________________________________________________________________________
>___
>
> 3) standard appendix: authenticity verification, additional information
>
> - Package authenticity verification:
>
> SuSE update packages are available on many mirror ftp servers all over
> the world. While this service is being considered valuable and
> important to the free and open source software community, many users wish
> to be sure about the origin of the package and its content before
> installing the package. There are two verification methods that can be used
> independently from each other to prove the authenticity of a downloaded
> file or rpm package:
> 1) md5sums as provided in the (cryptographically signed) announcement.
> 2) using the internal gpg signatures of the rpm package.
>
> 1) execute the command
> md5sum <name-of-the-file.rpm>
> after you downloaded the file from a SuSE ftp server or its mirrors.
> Then, compare the resulting md5sum with the one that is listed in
> the announcement. Since the announcement containing the checksums is
> cryptographically signed (usually using the key security@xxxxxxx), the
> checksums show proof of the authenticity of the package. We disrecommend to
> subscribe to security lists which cause the email message containing the
> announcement to be modified so that the signature does not match after
> transport through the mailing list software.
> Downsides: You must be able to verify the authenticity of the
> announcement in the first place. If RPM packages are being rebuilt
> and a new version of a package is published on the ftp server, all
> md5 sums for the files are useless.
>
> 2) rpm package signatures provide an easy way to verify the
> authenticity of an rpm package. Use the command
> rpm -v --checksig <file.rpm>
> to verify the signature of the package, where <file.rpm> is the
> filename of the rpm package that you have downloaded. Of course,
> package authenticity verification can only target an uninstalled rpm
> package file.
> Prerequisites:
> a) gpg is installed
> b) The package is signed using a certain key. The public part of
> this key must be installed by the gpg program in the directory ~/.gnupg/
> under the user's home directory who performs the signature verification
> (usually root). You can import the key that is used by SuSE in rpm packages
> for SuSE Linux by saving this announcement to a file ("announcement.txt")
> and
> running the command (do "su -" to be root):
> gpg --batch; gpg < announcement.txt | gpg --import
> SuSE Linux distributions version 7.1 and thereafter install the
> key "build@xxxxxxx" upon installation or upgrade, provided that
> the package gpg is installed. The file containing the public key
> is placed at the toplevel directory of the first CD
> (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
> .
>
>
> - SuSE runs two security mailing lists to which any interested party may
> subscribe:
>
> suse-security@xxxxxxxx
> - general/linux/SuSE security discussion.
> All SuSE security announcements are sent to this list.
> To subscribe, send an email to
> <suse-security-subscribe@xxxxxxxx>.
>
> suse-security-announce@xxxxxxxx
> - SuSE's announce-only mailing list.
> Only SuSE's security annoucements are sent to this list.
> To subscribe, send an email to
> <suse-security-announce-subscribe@xxxxxxxx>.
>
> For general information or the frequently asked questions (faq)
> send mail to:
> <suse-security-info@xxxxxxxx> or
> <suse-security-faq@xxxxxxxx> respectively.
>
> =====================================================================
> SuSE's security contact is <security@xxxxxxxx> or <security@xxxxxxx>.
> The <security@xxxxxxx> public key is listed below.
> =====================================================================
> ___________________________________________________________________________
>___
>
> The information in this advisory may be distributed or reproduced,
> provided that the advisory is not modified in any way. In particular,
> it is desired that the cleartext signature shows proof of the
> authenticity of the text.
> SuSE Linux AG makes no warranties of any kind whatsoever with respect
> to the information contained in this security advisory.
>
> Type Bits/KeyID Date User ID
> pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@xxxxxxx>
> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@xxxxxxx>
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
> 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
> M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
> QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
> XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
> D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
> G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
> CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
> myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
> YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
> wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
> NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
> QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
> LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
> XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
> D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
> 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
> 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
> cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
> ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
> AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
> Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
> HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
> t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
> tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
> 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
> 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
> QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
> JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
> 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
> ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
> wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
> EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
> 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
> CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
> SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
> omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
> A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
> /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
> GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
> ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
> ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
> RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
> 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
> B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
> 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
> 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
> qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
> WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
> hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
> BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
> AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
> RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
> zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
> /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
> whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
> D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
> dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
> RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
> DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
> =LRKC
> -----END PGP PUBLIC KEY BLOCK-----

--
-----------------------------------------------------------
Dipl. Phys. Alexander Grujic Tel.:+493083852157
Arbeitsgruppe Prof. Dr. Martin Wolf Fax.:+493083856059
Inst. für Experimentalphysik
FU-Berlin
-----------------------------------------------------------



< Previous Next >
This Thread
References