Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2005 > UnixWare 7.1.3 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities

January 2005

UnixWare 7.1.3 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities

ID: 00074
Ref: 61/2005
Date: 27 January 2005:14:46:17
Version: 1
Title: UnixWare 7.1.3 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities
Abstract:


______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.3 UnixWare 7.1.1 : OpenSSL Multiple Vulnerabilities
Advisory number: SCOSA-2005.7
Issue date: 2005 January 20
Cross reference: sr890283 fz529411 erg712602 CAN-2004-0079 CAN-2004-0081 CAN-2004-0112
______________________________________________________________________________


1. Problem Description

OpenSSL implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols and includes a
general purpose cryptographic library. SSL and TLS are
commonly used to provide authentication, encryption,
integrity, and non-repudiation services to network
applications including HTTP, IMAP, POP3, SMTP, and LDAP.

The U.K. National Infrastructure Security Co-ordination
Centre (NISCC) and the OpenSSL Project have reported several
vulnerabilities in the OpenSSL SSL/TLS library (libssl).
Any application or system that uses this library may be
affected.

CERT Vulnerability Note VU#288574
OpenSSL contains null-pointer assignment in do_change_cipher_spec()
function

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0079 to this issue.

CERT Vulnerability Note VU#465542
OpenSSL does not properly handle unknown message types

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0081 to this issue.

CERT Vulnerability Note VU#484726
OpenSSL does not adequately validate length of Kerberos ticket
during SSL/TLS handshake.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0112 to this issue.

2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.4 Not vulnerable
UnixWare 7.1.3 Distribution
UnixWare 7.1.1 Distribution


3. Solution

The proper solution is to install the latest packages.

4. UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7

4.2 Verification

MD5 (openssl.pkg) = d2ba4c1dee05dad681b39bfea4d4d7f9
MD5 (openssld.pkg) = 6a737b8d0265e8194f55f39518380bae

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssl.pkg to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/openssl.pkg


5. UnixWare 7.1.1

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.7

The fixes are also available in SCO UnixWare Release 7.1.1
Maintenance Pack 5 or later. See
ftp://ftp.sco.com/pub/unixware7/uw711pk/uw711mp5.txt

5.2 Verification

MD5 (openssl.pkg) = d2ba4c1dee05dad681b39bfea4d4d7f9
MD5 (openssld.pkg) = 6a737b8d0265e8194f55f39518380bae

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssld.pkg to the /var/spool/pkg directory

# pkgadd -d /var/spool/pkg/openssld.pkg


6. References

Specific references for this advisory:
http://www.us-cert.gov/cas/techalerts/TA04-078A.html
http://www.kb.cert.org/vuls/id/288574
http://www.kb.cert.org/vuls/id/484726
http://www.kb.cert.org/vuls/id/465542
http://www.openssl.org/news/secadv_20040317.txt
http://www.uniras.gov.uk/vuls/2004/224012/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr890283 fz529411
erg712602.

7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


8. Acknowledgments

SCO would like to thank The U.K. National Infrastructure
Security Co-ordination Centre (NISCC) and the OpenSSL team.

______________________________________________________________________________


  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |