-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Fri May 21 10:09:57 CDT 2010
| Updated: Wed May 26 14:36:48 CDT 2010
| Fixed vulnerable fileset levels
| Updated: Tue Dec  6 08:33:15 CST 2011
| Updated OpenSSH version note

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc

                           VULNERABILITY SUMMARY

VULNERABILITY:   "Record of death" vulnerability

PLATFORMS:       AIX 5.3, 6.1, and earlier releases

SOLUTION:        Apply the fix as described below.

THREAT:          See below

CVE Numbers:	 CVE-2009-3245
		 CVE-2010-0433
		 CVE-2010-0740

                           DETAILED INFORMATION

I. DESCRIPTION (from cve.mitre.org)

    "In TLS connections, certain incorrectly formatted records can cause 
    an OpenSSL client or server to crash due to a read attempt at NULL."
    "OpenSSL before 0.9.8m does not check for a NULL return value from 
    bn_wexpand function calls in (1) crypto/bn/bn_div.c, 
    (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/
    e_ubsec.c, which has unspecified impact and context-dependent attack 
    vectors." 

    "The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL 
    before 0.9.8n, when Kerberos is enabled but Kerberos configuration 
    files cannot be opened, does not check a certain return value, which 
    allows remote attackers to cause a denial of service (NULL pointer 
    dereference and daemon crash) via SSL cipher negotiation, as 
    demonstrated by a chroot installation of Dovecot or stunnel without 
    Kerberos configuration files inside the chroot." 

    "The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f 
    through 0.9.8m allows remote attackers to cause a denial of service 
    (crash) via a malformed record in a TLS connection that triggers a 
    NULL pointer dereference, related to the minor version number." 

    Please see the following for more information:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0433
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740
    http://cvs.openssl.org/chngview?cn=19307
    http://cvs.openssl.org/chngview?cn=19374
    http://www.openssl.org/news/secadv_20100324.txt

II. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L openssl.base

    The following fileset levels are vulnerable:

|   AIX 6.1 and 5.3: all versions less than 0.9.8.1103
|   AIX 6.1 and 5.3: FIPS capable versions less than 12.9.8.1103
|   AIX 5.2: all versions less than 0.9.8.806

|   IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
|   5.0 or later, depending on the OpenSSL version. Refer  to the Readme
|   for each version's specific requirements.

    AIX OpenSSH can be downloaded from:

    http://sourceforge.net/projects/openssh-aix

III. FIXES

    A fix is available, and it can be downloaded from:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

    To extract the fixes from the tar file:

    zcat openssl.0.9.8.1103.tar.Z | tar xvf -
    or
    zcat openssl-fips.12.9.8.1103.tar.Z | tar xvf -
    or
    zcat openssl.0.9.8.806.tar.Z | tar xvf -

    IMPORTANT: If possible, it is recommended that a mksysb backup
    of the system be created.  Verify it is both bootable and
    readable before proceeding.

    To preview the fix installation:

    installp -apYd . openssl

    To install the fix package:

    installp -aXYd . openssl

IV. WORKAROUNDS

    There are no workarounds.

V. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www.ibm.com/systems/support

    and click on the "My notifications" link.

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

	    0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFO3jPG4fmd+Ci/qhIRAk6tAJwKAMPXP0LxtNaSKWwYVOTTc1eCegCfXBPR
O0phrHbiH9RaAHRMMl7uw0I=
=rb/J
-----END PGP SIGNATURE-----