Note: This is an archival copy of Security Sun Alert 201029 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000766.1.
Date of Resolved Release
Sun Linux 5.0 OpenSSL versions 0.9.6 and earlier ...
Sun Linux 5.0 OpenSSL versions 0.9.6 and earlier have two issues that may allow a remote unprivileged user to cause Denial of Service and arbitrary code execution.
OpenSSL is an open source toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a general purpose cryptography library.
More information is available at:
Red Hat Advisory RHSA-2003:291-11 at: https://rhn.redhat.com/errata/RHSA-2003-291.html
CVE CAN-2003-0543 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543
CVE CAN-2003-0544 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544
CERT advisory CA-2003-26 at: http://www.cert.org/advisories/CA-2003-26.html
2. Contributing Factors
This issue can occur in the following releases:
Note: Sun Linux 5.0 is currently shipped with the Sun LX50 Server.
The OpenSSL package version can be determined by running the following command:
# rpm -qa | grep -i openssl openssl-0.9.6-2C5
There are no predictable symptoms that would indicate the above described issues have been exploited.
There is no workaround. However, system administrators may choose to disable some of the applications that are using OpenSSL packages, for instance, "httpd" in secure mode (https). Please see the relevant application documentation to disable the usage of OpenSSL.
Sun Linux patches are available at: http://sunsolve.sun.com/patches/linux/security.html
Patches for Qube3, RaQ4, RaQXTR and RaQ 550 are available at: http://sunsolve.sun.com/cobalt
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Sun Linux 5.0
This solution has no attachment