-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kolab Security Issue 04 20051014 ================================ Package: openssl Vulnerability: Potential SSL 2.0 Rollback (CAN-2005-2969) Kolab Specific: no Dependent Packages: apache imapd openldap perl-ssl php postfix proftpd sasl Summary - ------- According to a vendor security advisory, a potential SSL 2.0 protocol rollback attack vulnerability exists in the cryptography toolkit OpenSSL. The vulnerability potentially affects applications that use the SSL/TLS server implementation provided by OpenSSL. Such applications are affected if they use the option "SSL_OP_MSIE_SSLV2_RSA_PADDING". Applications using neither "SSL_OP_MSIE_SSLV2_RSA_PADDING" nor "SSL_OP_ALL" are not affected. Also, applications that disable use of SSL 2.0 are not affected. Affected Versions - ----------------- OpenPKG packages of openssl-0.9.7g-2.4.1 or earlier are affected. Kolab Server 2.0.1 and previous releases of the 2.0 branch are affected. You can check the installed version with: /kolab/bin/openpkg rpm -q openssl Fixes - ----- Note: The fix described here is for Kolab server 2.0.1. If you still run an older version, please upgrade to 2.0.1 first. Since SSLv2 can't be disabled via a configuration setting for all services running on a Kolab server, the OpenSSL package has to be updated and the dependent packages have to be rebuilt so that they use the new OpenSSL version. The updated OpenPKG package openssl-0.9.7g-2.4.2 is available from the usual kolab mirrors under the directory security-updates/20051014/ . While the mirrors are catching up, you can also get the files via rsync: # rsync -tzvr rsync://rsync.kolab.org/kolab/server/security-updates/20051014 . If you have installed the Kolab server from sources, download the directory security-updates/20051014/sources/ If you installed the ix86-debian3.0 binaries, download security-updates/20051014/ix86-debian3.0/ Both directories contain the new OpenSSL package plus obmtool and obmtool.conf like in a kolab release. In addition, the ix86-debian3.0 directory contains updated binaries of the dependent packages. In both cases, download all files in the appropriate directory, chdir into the downloaded directory and run /kolab/bin/openpkg rc all stop ./obmtool kolab This will install the new openssl package and rebuild/reinstall the dependent packages. Afterwards start the server again, making sure to regenerate the config files as you would for a normal Kolab server update. Details - ------- http://www.openpkg.org/security/OpenPKG-SA-2005.022-openssl.html OpenPKG Security Advisory OpenPKG-SA-2005.022 http://www.openssl.org/news/secadv_20051011.txt OpenSSL Security Advisory on the vendor's site http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969 Common Vulnerabilities and Exposures (CVE): CAN-2005-2969 Timeline - -------- 20051011 OpenSSL vendor released patch and new versions containing the fix 20051011 OpenPKG created new package containing the fix, not yet announced 20051014 Kolab update and security advisory published -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDUBdo0vCiU5+ISsgRApj4AKDIZhknDia/OrolG4yUGaC3JZwRWQCfXbyw b6sFUXJ80PKVQkgbLbQDSNo= =ff+w -----END PGP SIGNATURE-----