[gentoo-dev] Re: [gentoo-security] GLSA: OpenSSL

[gentoo-dev] Re: [gentoo-security] GLSA: OpenSSL

[Mickey Mullin]

Hey, this doesn't look right.

I followed the instructions (not that there is much to a rsync/emerge/clean 
scenario), but it appears that my system is playing a prank:

--- ---
 >>> dev-libs/openssl-0.9.6e merged.
[snip]
newjersey root # emerge -p clean

 >>> These are the packages that I would unmerge:

  dev-libs/openssl
     selected: 0.9.6d
    protected: 0.9.6c-r1 0.9.6e
      omitted: none

 >>> Packages in red are slated for removal.
 >>> Packages in green will not be removed.
--- ---

Why is it going to "clean" the package that I just merged (0.9.6e)?  It 
worked properly on my other servers.  Curious....

Mickey
-- 
Mickey Mullin
Chief Technical Officer
Websoft Systems, Inc.
www.websoft.com
mmullin@websoft.com
732-212-1933 x204

Daniel Ahlberg wrote:
> - -------------------------------------------------------------------- 
> GENTOO LINUX SECURITY ANNOUNCEMENT 
> - --------------------------------------------------------------------
> 
> PACKAGE        :openssl
> SUMMARY        :denial of service / remote root exploit
> DATE           :2002-07-30 16:15:00
> 
> - --------------------------------------------------------------------
> 
> OVERVIEW
>  
> Multiple potentially remotely exploitable vulnerabilities has been found in 
> OpenSSL. 
> 
> DETAIL
> 
> 1. The client master key in SSL2 could be oversized and overrun a
>     buffer. This vulnerability was also independently discovered by
>     consultants at Neohapsis (http://www.neohapsis.com/) who have also
>     demonstrated that the vulerability is exploitable. Exploit code is
>     NOT available at this time.
> 
> 2. The session ID supplied to a client in SSL3 could be oversized and
>     overrun a buffer.
> 
> 3. The master key supplied to an SSL3 server could be oversized and
>     overrun a stack-based buffer. This issues only affects OpenSSL
>     0.9.7 before 0.9.7-beta3 with Kerberos enabled.
> 
> 4. Various buffers for ASCII representations of integers were too
>     small on 64 bit platforms.
> 
> The full advisory can be read at 
> http://www.openssl.org/news/secadv_20020730.txt
> 
> SOLUTION
> 
> It is recommended that all Gentoo Linux users update their systems as
> follows.
> 
> emerge --clean rsync
> emerge openssl
> emerge clean
> 
> After the installation of the updated OpenSSL you should restart the services 
> that uses OpenSSL, which include such common services as OpenSSH, SSL-Enabled 
> POP3, IMAP, and SMTP servers, and stunnel-wrapped services as well.
> 
> Also, if you have an application that is statically linked to openssl you will 
> need to reemerge that application to build it against the new OpenSSL.
>  
> - --------------------------------------------------------------------
> Daniel Ahlberg
> aliz@gentoo.org
> - --------------------------------------------------------------------

Re: [gentoo-dev] Re: [gentoo-security] GLSA: OpenSSL

[Alexander Gretencord]

Mickey Mullin wrote:
> rsync/emerge/clean scenario), but it appears that my system is playing a 
> prank:

Nope your eyes are :)

>  dev-libs/openssl
>     selected: 0.9.6d
>    protected: 0.9.6c-r1 0.9.6e
>      omitted: none
> Why is it going to "clean" the package that I just merged (0.9.6e)?  It 
> worked properly on my other servers.  Curious....

Coz it doesn't :P ITs going to remove d not e. c and e are protected. 
I'd better ask why it wants to NOT unmerge c :)

Alex

Re: [gentoo-dev] OpenSSL

[Mickey Mullin]

>> rsync/emerge/clean scenario), but it appears that my system is playing 
>> a prank:
> 
> Nope your eyes are :)

Yup.  I wish I could blame it on my eyewear, only I don't wear any.  I guess 
Coke really isn't an adequate substitute for sleep - Mom was right, after all.

>>  dev-libs/openssl
>>     selected: 0.9.6d
>>    protected: 0.9.6c-r1 0.9.6e
>>      omitted: none
>> Why is it going to "clean" the package that I just merged (0.9.6e)?  
>> It worked properly on my other servers.  Curious....
> 
> Coz it doesn't :P ITs going to remove d not e. c and e are protected. 
> I'd better ask why it wants to NOT unmerge c :)

Uh, yeah!  That's what I was thinking.  Why is it keeping "c"?  That's what 
I meant all along.  Uh huh.  Sure it is, Mick...

Thanks, Alex.

Mickey

Re: [gentoo-dev] OpenSSL

[Stuart Bouyer]

On 木, 2002-08-01 at 00:20, Mickey Mullin wrote:
<snip>
> > Coz it doesn't :P ITs going to remove d not e. c and e are protected. 
> > I'd better ask why it wants to NOT unmerge c :)
> 
> Uh, yeah!  That's what I was thinking.  Why is it keeping "c"?  That's what 
> I meant all along.  Uh huh.  Sure it is, Mick...
> 
It's not emerging c cause c didn't have a SLOT in it, so portage doesn't
know it can throw it away. To get rid of c - do emerge -P openssl (do
emerge -Pp openssl first to make sure it wont get e by accident)

Stuart

Re: [gentoo-dev] OpenSSL

[Mickey Mullin]

That worked great.  Thanks!

Mickey

On 01.08.2002 at 12:12:14, Stuart Bouyer <stubear@gentoo.org> wrote:
> > > Coz it doesn't :P ITs going to remove d not e. c and e are protected. 
> > > I'd better ask why it wants to NOT unmerge c :)
> > 
> > Uh, yeah!  That's what I was thinking.  Why is it keeping "c"?  That's
what
> > I meant all along.  Uh huh.  Sure it is, Mick...
> > 
> It's not emerging c cause c didn't have a SLOT in it, so portage doesn't
> know it can throw it away. To get rid of c - do emerge -P openssl (do
> emerge -Pp openssl first to make sure it wont get e by accident)