----- B a l a B i t S e c u r i t y A d v i s o r y ( B B S A ) ----- PACKAGE : openssl AFFECTED VERSION : <= 0.9.8a-7.zorpos8, <= 0.9.8a-7ubuntu0.5.zorpos33.2 FIXED : 0.9.8a-7.zorpos9, 0.9.8a-7ubuntu0.5.zorpos33.3 SUMMARY : multiple vulnerabilites TYPE : remote AFFECTED : ZorpOS 3.1, ZorpOS 3.3 ZORP-OS SPECIFIC : NO BBSA-AUTHOR : Tamás Pál BBSA-ID : BBSA-2008-029 BBSA-ADDRESS : advisory@balabit.hu GNUPG FINGERPRINT : 933E 6763 D32D A01C 1A75 F228 9CB1 81C7 D91E 8915 CVE : CVE-2008-1672 DATE : Jun 5, 2008 ----------------------------------------------------------------------------- BACKGROUND: CVE-2008-1672: OpenSSL before 0.9.8h allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites." non-CVE error: OpenSSL after 0.9.7g has problems verifying certificates, whose CA names contains underscore (_) characters. For more information see the OpenSSL tickets in References. SOLUTION: We recommend that you update the affected packages immediately. Upgrading using apt: ~~~~~~~~~~~~~~~~~~~~ Add the following line to /etc/apt/sources.list (if it doesn't contain this line already) ZorpOS version 3.1: deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \ zorp-os-3.1/3.1security zorp-os zorp-os-extra ZorpOS version 3.3: deb https://USERNAME:PASSWORD@apt.balabit.hu/zorp-os \ zorp-os-3.3/3.3security zorp-os zorp-os-extra then issue the following commands as root: apt-get update apt-get -u upgrade The latest upgrades will be downloaded and installed. REFERENCES: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672 To view this tickets, login using the guest account with password guest. http://rt.openssl.org/Ticket/Display.html?id=1422 http://rt.openssl.org/Ticket/Display.html?id=1311