what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SCOSA-2005.48.txt

SCOSA-2005.48.txt
Posted Nov 20, 2005
Authored by SCO | Site sco.com

SCO Security Advisory - A vulnerability has been found in OpenSSL which potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL.

tags | advisory
advisories | CVE-2005-2969
SHA-256 | bdc10ddc12e02eb7b618303927e2aede4194e4f2011bac78505358a0fc1988aa

SCOSA-2005.48.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

SCO Security Advisory

Subject: UnixWare 7.1.3 UnixWare 7.1.4 : OpenSSL Potential SSL 2.0 Rollback Vulnerability
Advisory number: SCOSA-2005.48
Issue date: 2005 November 15
Cross reference: fz533160
CVE-2005-2969
______________________________________________________________________________


1. Problem Description

A vulnerability has been found in OpenSSL which potentially
affects applications that use the SSL/TLS server implementation
provided by OpenSSL.

Such applications are affected if they use the option
SSL_OP_MSIE_SSLV2_RSA_PADDING. This option is implied by use of
SSL_OP_ALL, which is intended to work around various bugs in
third-party software that might prevent interoperability. The
SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification
step in the SSL 2.0 server supposed to prevent active
protocol-version rollback attacks. With this verification step
disabled, an attacker acting as a "man in the middle" can force
a client and a server to negotiate the SSL 2.0 protocol even if
these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0
protocol is known to have severe cryptographic weaknesses and is
supported as a fallback only.

Applications using neither SSL_OP_MSIE_SSLV2_RSA_PADDING nor
SSL_OP_ALL are not affected. Also, applications that disable
use of SSL 2.0 are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2969 to this issue.


2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 All earlier OpenSSL distributions
UnixWare 7.1.4 All earlier OpenSSL distributions


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.3

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48


4.2 Verification

MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssl-0.9.7i.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/openssl-0.9.7i.image


5. UnixWare 7.1.4

5.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.48


5.2 Verification

MD5 (openssl-0.9.7i.image) = 528a4e250fe58da796bf17c71b46c48b

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools


5.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Download openssl-0.9.7i.image to the /var/spool/pkg directory.

# pkgadd -d /var/spool/pkg/openssl-0.9.7i.image


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969
http://www.openssl.org/news/secadv_20051011.txt

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents fz533160.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)

iD8DBQFDeivIaqoBO7ipriERApy+AJ9R0xNIZA4uHFvKZOmxiir77ZIFhQCggUyy
ATHvbNOkKn7sYBLOkLK1wBg=
=AX7f
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close