lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 21 May 2008 12:11:20 -0500
From: "Ganeshram Iyer" <ganeshramiyer@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [USN-612-8] openssl-blacklist update

Hello all,
According to the following USN I simply need to do a standard system
upgrade. I did an "apt-get update; apt-get upgrade" but did not get the
openssl-blacklist package. I had to do a separate "apt-get install
openssl-blacklist" to get this package on Ubuntu 6.06 LTS. Which sources do
I need to have listed in my /etc/apt/sources.list to be able to do a
standard "apt-get upgrade" to get this package. I want to make sure that I
have the required minimum sources listed to get such security packages.

Thanks in advance
Ganesh

On Wed, May 21, 2008 at 11:31 AM, Jamie Strandboge <jamie@...onical.com>
wrote:

> ===========================================================
> Ubuntu Security Notice USN-612-8               May 21, 2008
> openssl-blacklist update
> http://www.ubuntu.com/usn/usn-612-1
> http://www.ubuntu.com/usn/usn-612-3
> ===========================================================
>
> A security issue affects the following Ubuntu releases:
>
> Ubuntu 6.06 LTS
> Ubuntu 7.04
> Ubuntu 7.10
> Ubuntu 8.04 LTS
>
> This advisory also applies to the corresponding versions of
> Kubuntu, Edubuntu, and Xubuntu.
>
> The problem can be corrected by upgrading your system to the
> following package versions:
>
> Ubuntu 6.06 LTS:
>  openssl-blacklist               0.1-0ubuntu0.6.06.1
>
> Ubuntu 7.04:
>  openssl-blacklist               0.1-0ubuntu0.7.04.4
>
> Ubuntu 7.10:
>  openssl-blacklist               0.1-0ubuntu0.7.10.4
>
> Ubuntu 8.04 LTS:
>  openssl-blacklist               0.1-0ubuntu0.8.04.4
>
> In general, a standard system upgrade is sufficient to effect the
> necessary changes.
>
> Details follow:
>
> USN-612-3 addressed a weakness in OpenSSL certificate and key
> generation in OpenVPN by introducing openssl-blacklist to aid in
> detecting vulnerable private keys. This update enhances the
> openssl-vulnkey tool to check X.509 certificates as well, and
> provides the corresponding update for Ubuntu 6.06. While the
> OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is
> now provided for Ubuntu 6.06 for checking certificates and keys
> that may have been imported on these systems.
>
> This update also includes the complete RSA-1024 and RSA-2048
> blacklists for all Ubuntu architectures, as well as support for
> other future blacklists for non-standard bit lengths.
>
> You can check for weak SSL/TLS certificates by installing
> openssl-blacklist via your package manager, and using the
> openssl-vulnkey command.
>
> $ openssl-vulnkey /path/to/certificate_or_key
>
> This command can be used on public certificates and private keys
> for any X.509 certificate or RSA key, including ones for web
> servers, mail servers, OpenVPN, and others. If in doubt, destroy
> the certificate and key and generate new ones. Please consult the
> documentation for your software when recreating SSL/TLS
> certificates. Also, if certificates have been generated for use
> on other systems, they must be found and replaced as well.
>
> Original advisory details:
>
>  A weakness has been discovered in the random number generator used
>  by OpenSSL on Debian and Ubuntu systems.  As a result of this
>  weakness, certain encryption keys are much more common than they
>  should be, such that an attacker could guess the key through a
>  brute-force attack given minimal knowledge of the system.  This
>  particularly affects the use of encryption keys in OpenSSH, OpenVPN
>  and SSL certificates.
>
>
> Updated packages for Ubuntu 6.06 LTS:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.dsc
>      Size/MD5:      548 b437e5037437d46ba896cf28be43fa55
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.tar.gz
>      Size/MD5:  8998682 154e882671f25f5ef5a100ef2709cd4e
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1_all.deb
>      Size/MD5:  4235438 b78f5861f72699f7699e3f60d7e7d235
>
> Updated packages for Ubuntu 7.04:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.dsc
>      Size/MD5:      600 8045fc0b37070b448b00123c395af0fd
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.tar.gz
>      Size/MD5:  8999060 4a23e360873f70d978401837a5a1a462
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4_all.deb
>      Size/MD5:  4236958 7ec420cb408154facae641776ac1aeaf
>
> Updated packages for Ubuntu 7.10:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.dsc
>      Size/MD5:      600 e484758b7e017b511fc34eff1878a2eb
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.tar.gz
>      Size/MD5:  8999062 1f59fe1ae585543431a58f050cb8fe46
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4_all.deb
>      Size/MD5:  4237110 8451e9872b23fc0f73ef16f384d4dddb
>
> Updated packages for Ubuntu 8.04 LTS:
>
>  Source archives:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.dsc
>      Size/MD5:      600 78f29ecb3d69baf5f529f15a06c41cf4
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.tar.gz
>      Size/MD5:  8999068 d67755ccd109508c460a4a3a830d699d
>
>  Architecture independent packages:
>
>
> http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4_all.deb
>      Size/MD5:  4236630 36f5d84a1cff08e86a6b1646565245e6
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFINE5hW0JvuRdL8BoRAtJSAJ9axmJSnMH84okf6LJssr4s0VSydwCfcl+j
> PcRD8A4wCh5TOrYVIrHwqzY=
> =GlmK
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Ganeshram Iyer
Open Source and CAD: http://ossandcad.blogspot.com
ganeshramiyer@...oo.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ