-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Nov  4 15:00:40 CDT 2011
| Updated: Tue Dec 20 11:10:55 CST 2011
| Fixed vulnerable fileset levels
| Updated: Tue Dec  6 08:33:15 CST 2011
| Updated OpenSSH version note
| Added OpenSSL-OpenSSH compatibility matrix
| Updated: Fri Jan 20 17:28:19 CST 2012
| Added VIOS version note

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory2.asc

                           VULNERABILITY SUMMARY

VULNERABILITY:   Multiple OpenSSL vulnerabilities 

PLATFORMS:       AIX 5.3, 6.1, 7.1, and earlier releases

SOLUTION:        Apply the fix as described below.

THREAT:          See below

CVE Numbers:     CVE-2011-0014
                 CVE-2010-3864
                 CVE-2010-4180

                           DETAILED INFORMATION

I. DESCRIPTION (from cve.mitre.org)

    ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c
    allows remote attackers to cause a denial of service (crash), and possibly
    obtain sensitive information in applications that use OpenSSL, via a mal-
    formed ClientHello handshake message that triggers an out-of-bounds memory
    access, aka "OCSP stapling vulnerability." 

    Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o,
    1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on
    a TLS server, might allow remote attackers to execute arbitrary code via
    client data that triggers a heap-based buffer overflow, related to (1) the
    TLS server name extension and (2) elliptic curve cryptography.

    OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when 
    SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly
    prevent modification of the ciphersuite in the session cache, which allows
    remote attackers to force the downgrade to an unintended cipher via vectors
    involving sniffing network traffic to discover a session identifier. 

    Please see the following for more information:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0014
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3864
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
    http://www.openssl.org/news/secadv_20110208.txt
    http://www.openssl.org/news/secadv_20101116.txt
    http://www.openssl.org/news/secadv_20101202.txt

II. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L openssl.base

|   On VIO Server:

|   oem_setup_env
|   lslpp -L openssl.base

    The following fileset levels are vulnerable:

|   VIOS, AIX 7.1, 6.1, 5.3: all versions less than or equal 0.9.8.1301
|   AIX 7.1, 6.1, 5.3: FIPS capable versions less than or equal 12.9.8.1301
|   AIX 5.2: all versions less than or equal 0.9.8.807

|   IMPORTANT: If AIX OpenSSH is in use, it must be updated to version
|   OpenSSH 5.0 or later, depending on the OpenSSL version according to
|   following compatibility matrix:

|   AIX              OpenSSL                    OpenSSH
|   ------------------------------------------------------------------
|   5.2              OpenSSL 0.9.8.80x          OpenSSH 5.0
|   5.3,6.1,7.1      OpenSSL 0.9.8.13xx         OpenSSH 5.4.0.61xx
|   5.3,6.1,7.1      OpenSSL-fips 12.9.8.13xx   OpenSSH 5.4.0.61xx

    AIX OpenSSH can be downloaded from:

    http://sourceforge.net/projects/openssh-aix

III. FIXES

    A fix is available, and it can be downloaded from:

    https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp

    To extract the fixes from the tar file:

    zcat openssl.0.9.8.1302.tar.Z | tar xvf -
    or
    zcat openssl-fips.12.9.8.1302.tar.Z | tar xvf -
    or
    zcat openssl.0.9.8.808.tar.Z | tar xvf -

    IMPORTANT: If possible, it is recommended that a mksysb backup
    of the system be created.  Verify it is both bootable and
    readable before proceeding.

    To preview the fix installation:

    installp -apYd . openssl

    To install the fix package:

    installp -aXYd . openssl

IV. WORKAROUNDS

    There are no workarounds.

V. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www.ibm.com/systems/support

    and click on the "My notifications" link.

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

	    0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFPGf4Z4fmd+Ci/qhIRAk1XAJ9XkLlD/+JgytpJ7xSEYVpfOPV8SACfR07z
XUoJeItaYFt3FzgcF2FaZE0=
=uqej
-----END PGP SIGNATURE-----