[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051014080335.GA12384@piware.de>
Date: Fri, 14 Oct 2005 10:03:35 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-204-1] SSL library vulnerability
===========================================================
Ubuntu Security Notice USN-204-1 October 14, 2005
openssl vulnerability
CAN-2005-2969
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)
The following packages are affected:
libssl0.9.7
The problem can be corrected by upgrading the affected package to
version 0.9.7d-3ubuntu0.3 (for Ubuntu 4.10), 0.9.7e-3ubuntu0.2 (for
Ubuntu 5.04), or 0.9.7g-1ubuntu1.1 (for Ubuntu 5.10). Since the SSL
library is used by a lot of server and desktop applications, you
should restart your computer after a standard system upgrade to ensure
that all programs use the new library.
Details follow:
Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL
applications. Applications using the OpenSSL library can use the
SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the
former) to maintain compatibility with third party products, which is
achieved by working around known bugs in them.
The SSL_OP_MSIE_SSLV2_RSA_PADDING option disabled a verification step
in the SSL 2.0 server supposed to prevent active protocol-version
rollback attacks. With this verification step disabled, an attacker
acting as a "man in the middle" could force a client and a server to
negotiate the SSL 2.0 protocol even if these parties both supported
SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe
cryptographic weaknesses and is supported as a fallback only.
Updated packages for Ubuntu 4.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.diff.gz
Size/MD5: 26336 8c653140c8bb55141682f61b2c7ee0c4
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.dsc
Size/MD5: 636 814be379aed42cf28e5e1714eacb5dea
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d.orig.tar.gz
Size/MD5: 2799796 533b7f758325d74c1e01e67994e3ae59
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_amd64.deb
Size/MD5: 2676878 d46f388edf90aac95110357c4c7fb41e
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_amd64.deb
Size/MD5: 697176 dfb423bccdf95e0251566c86747519ba
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_amd64.deb
Size/MD5: 900108 5c62807221f03ec34aafe8753362d1dc
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_i386.deb
Size/MD5: 2477644 9a6282952a58a0d963ea12dd80626305
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_i386.deb
Size/MD5: 2153208 e49463b1a3ae79e586ebf522ed5d5ac1
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_i386.deb
Size/MD5: 898780 ab5e0af7e6687f1ed7ad943c2a7edc00
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_powerpc.deb
Size/MD5: 2759254 aa0ad1ec7ccdcab984c33f34ae04013d
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_powerpc.deb
Size/MD5: 700982 d6bdb5e4c7b427278a5f6dd7115047e4
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_powerpc.deb
Size/MD5: 904618 18578a43604449f15794852b32c55c9a
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.diff.gz
Size/MD5: 28853 653177acb3126d83a75863fef01f7618
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.dsc
Size/MD5: 645 71ab340d8a9c5e09398fc5cae8b8f3a5
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5: 3043231 a8777164bca38d84e5eb2b1535223474
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_amd64.udeb
Size/MD5: 495074 4aee5a5c1ea16cb37e4bd787daa17bb6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_amd64.deb
Size/MD5: 2693172 30ced54e4bddae466cc8a636729d4bf6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_amd64.deb
Size/MD5: 769494 bb2132ccc55fe686417fa58fe79366d5
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_amd64.deb
Size/MD5: 903540 c38ed2ab04260cc37c861b4714a292e6
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_i386.udeb
Size/MD5: 433190 a1d3b3d83038c4867c3bbed914a7799c
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_i386.deb
Size/MD5: 2492448 1c299b25caad322de3bbff442980d4fe
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_i386.deb
Size/MD5: 2240404 fc002998c376102f4afef943e42921d7
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_i386.deb
Size/MD5: 900980 d7d18142b2f888fb39c68a535e1797a5
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_powerpc.udeb
Size/MD5: 499312 344fa2d38577e134300a6c66b7501ad5
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_powerpc.deb
Size/MD5: 2774020 fa61cfb6691efb466d410868bcf70b33
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_powerpc.deb
Size/MD5: 779142 8591771370630d0947159f20c66a7844
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_powerpc.deb
Size/MD5: 908034 467656d782df126e20d87f28885481f7
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.diff.gz
Size/MD5: 29528 17b8067e74c9632969ab30e99ffefc27
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.dsc
Size/MD5: 657 5e3a343c96d5a6b6ce28ea9051b503f3
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g.orig.tar.gz
Size/MD5: 3132217 991615f73338a571b6a1be7d74906934
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_amd64.udeb
Size/MD5: 498774 e1caefe81d127f3f5c74abe21009d26f
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_amd64.deb
Size/MD5: 2699040 46c0e7a3af787950ae94ecf8097e8c70
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_amd64.deb
Size/MD5: 773056 efdf763408f1ab9e6ecbe46c2d7daabe
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_amd64.deb
Size/MD5: 913184 7d9f78245ce33c1729a5a3ff7a5844fb
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_i386.udeb
Size/MD5: 430626 2acb91427d4c850ebde301f7f0deac86
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_i386.deb
Size/MD5: 2479668 6296835c4d246c67fc7c8cd38c2ef00c
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_i386.deb
Size/MD5: 2202870 9d1c03f452c3964ab9bd4054879d48f7
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_i386.deb
Size/MD5: 904328 d6b94a9d5fbeaa792e4bb126930c82e2
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_powerpc.udeb
Size/MD5: 476188 46bbc413275d9954a42abcc518f65a0c
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_powerpc.deb
Size/MD5: 2655564 8b3f1df5908c9720333095c3755087cb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_powerpc.deb
Size/MD5: 752528 0f788b91569d512d0c9520a178fdb2fa
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_powerpc.deb
Size/MD5: 909916 5ad57ad02371aa12f52a94cfcb433835
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists