What is the OpenSSL 0.9.8zaDd Security Update? KEYWORDS: OpenServer 600 6.0.0 osr6 6V 600v maintenance pack 4 mp4 openssl security secure socket layer libraries 098za 98za RELEASE: SCO OpenServer Release 6.0.0, with Maintenance Pack 4 OpenServer 6V PROBLEM: What problems are fixed by OpenSSL 0.9.8za? SOLUTION: OpenSSL 0.9.8za addresses these security issues: CVE-2014-0224 - Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. CVE-2014-0221 - Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. CVE-2014-0195 - Fix DTLS invalid fragment vulnerability. A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. CVE-2014-3470 - Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. CVE-2014-0076 - Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Fix handling of warning-level alerts in SSL23 client mode so they don't cause client-side termination (eg. on SNI unrecognized_name warnings). Add client and server support for six additional alerts per RFC 6066 and RFC 4279. This supplement can be installed on the following OpenServer releases: SCO OpenServer Release 6.0.0 with Maintenance Pack 4 OpenServer 6V ---------------------------------------------------------- I. Software Notes and Recommendations 1. If you have any questions concerning this supplement, please contact your software supplier or your Xinuos Support Representative. ---------------------------------------------------------- II. Installation Instructions To install OpenSSL 0.9.8zaDd, follow these steps: 1. Login as root. 2. Create an empty directory, such as /tmp/OpenSSL.0.9.8zaDd, to which the supplement will be downloaded. 3. Download OpenSSL-0.9.8zaDd-VOLS.tar and save it to the directory created in step 2. 4. After the download is complete, change to the directory containing the OpenSSL-0.9.8zaDd-VOLS.tar file, and run the following to extract the media image files: # tar xvf OpenSSL-0.9.8zaDd-VOLS.tar 5. Run the Software Manager with the command: # scoadmin software 6. Pull down the "Software" menu and select "Install New". 7. When prompted for the host from which to install, choose the local machine and then "Continue". 8. In the "Select Media" menu, pull down the "Media Device" menu. Select "Media Images", then choose "Continue". 9. When prompted for the "Image Directory", enter the name of the directory created in step 2 and choose "OK". 10. When prompted to select software to install, make sure that the entry for "OpenSSL version 0.9.8za (ver 0.9.8zaDd)" is highlighted. Choose "Install". 11. Under "Upgrading Components Warning", select "Leave replaced components on hard disk (loaded only)." Doing so will allow you to revert to the previous version if you remove this supplement later. If you skip this step, then removing the supplement later will leave you without a working OpenSSL package. If necessary, this can be remedied by reinstalling the OpenSSL package inside the "Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce)" component from Maintenance Pack 4 or one of the previously released supplements. 12. Choose "Continue." 13. Installation of OpenSSL 0.9.8za will now proceed. Once it's completed, select "OK." 14. To exit the Software Manager, select "Exit" from the "Host" menu. 15. Once the installation has completed, you can remove or archive the downloaded tar file, the media image files, and the containing directory created in step 2. 16. There is no need to reboot the system for this package. ---------------------------------------------------------- III. Removal Instructions Note: These instructions will remove OpenSSL 0.9.8za package. They will also restore the previously installed version of OpenSSL provided you selected "Leave replaced components on hard disk (loaded only)" in step 12 of the Installation Instructions above. 1. Log in as root. 2. Execute the command: # scoadmin software 3. Highlight the entry for "OpenSSL version 0.9.8za (ver 0.9.8zaDd)" and make sure nothing else is highlighted. 5. Pull down the "Software" menu and select "Remove Software". 6. In the windows labeled "Confirm Selected Software," make sure that "OpenSSL version 0.9.8za (ver 0.9.8zaDd)" is shown and select "Remove." 7. Removal of OpenSSL 0.9.8zaDd will now proceed. Once it's completed, select "OK." Note: The rest of this procedure assumes that you kept the prior OpenSSL version loaded as described above in Step 12 of the Installation Instructions. If you did not do this then you will need to reinstall the OpenSSL 0.9.8eDa package from within the Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce) from OpenServer 6.0.0 Maintenance Pack 4. 8. Pull down the "Software" menu and select "Install New". 9. When prompted for the host from which to install, choose the local machine and then "Continue". 10. In the "Select Media" menu, pull down the "Media Device" menu. Select "Loaded Software", then choose "Continue". 11. When prompted to select software to install: If reverting back to version 0.9.8eDa in Maintenance Pack 4: i. Move the cursor down to "SCO OpenServer Release 6.0.0 Maintenance Pack 4 (ver 1.0.0Ce)" and hit to show loaded components from Maintenance Pack 4. ii. Move the cursor down to "Supplemental Graphics, Web and X11 Libraries (ver 1.0.0Ce)" and hit to show subpackages from this component. iii. Move the cursor down to "OpenSSL (ver 0.9.8eDa)" and hit to highlight it. iv. Make sure no other entries are highlighted. 12. Choose "Install." 13. Installation of OpenSSL 0.9.8e will now proceed. Once it's completed, select "OK." 14. To exit the Software Manager, select "Exit" from the "Host" menu.