lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051014080335.GA12384@piware.de>
Date: Fri, 14 Oct 2005 10:03:35 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-204-1] SSL library vulnerability

===========================================================
Ubuntu Security Notice USN-204-1	   October 14, 2005
openssl vulnerability
CAN-2005-2969
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libssl0.9.7

The problem can be corrected by upgrading the affected package to
version 0.9.7d-3ubuntu0.3 (for Ubuntu 4.10), 0.9.7e-3ubuntu0.2 (for
Ubuntu 5.04), or 0.9.7g-1ubuntu1.1 (for Ubuntu 5.10). Since the SSL
library is used by a lot of server and desktop applications, you
should restart your computer after a standard system upgrade to ensure
that all programs use the new library.

Details follow:

Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL
applications. Applications using the OpenSSL library can use the
SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the
former) to maintain compatibility with third party products, which is
achieved by working around known bugs in them.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option disabled a verification step
in the SSL 2.0 server supposed to prevent active protocol-version
rollback attacks.  With this verification step disabled, an attacker
acting as a "man in the middle" could force a client and a server to
negotiate the SSL 2.0 protocol even if these parties both supported
SSL 3.0 or TLS 1.0.  The SSL 2.0 protocol is known to have severe
cryptographic weaknesses and is supported as a fallback only.


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.diff.gz
      Size/MD5:    26336 8c653140c8bb55141682f61b2c7ee0c4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.dsc
      Size/MD5:      636 814be379aed42cf28e5e1714eacb5dea
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d.orig.tar.gz
      Size/MD5:  2799796 533b7f758325d74c1e01e67994e3ae59

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_amd64.deb
      Size/MD5:  2676878 d46f388edf90aac95110357c4c7fb41e
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_amd64.deb
      Size/MD5:   697176 dfb423bccdf95e0251566c86747519ba
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_amd64.deb
      Size/MD5:   900108 5c62807221f03ec34aafe8753362d1dc

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_i386.deb
      Size/MD5:  2477644 9a6282952a58a0d963ea12dd80626305
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_i386.deb
      Size/MD5:  2153208 e49463b1a3ae79e586ebf522ed5d5ac1
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_i386.deb
      Size/MD5:   898780 ab5e0af7e6687f1ed7ad943c2a7edc00

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_powerpc.deb
      Size/MD5:  2759254 aa0ad1ec7ccdcab984c33f34ae04013d
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_powerpc.deb
      Size/MD5:   700982 d6bdb5e4c7b427278a5f6dd7115047e4
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_powerpc.deb
      Size/MD5:   904618 18578a43604449f15794852b32c55c9a

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.diff.gz
      Size/MD5:    28853 653177acb3126d83a75863fef01f7618
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.dsc
      Size/MD5:      645 71ab340d8a9c5e09398fc5cae8b8f3a5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5:  3043231 a8777164bca38d84e5eb2b1535223474

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_amd64.udeb
      Size/MD5:   495074 4aee5a5c1ea16cb37e4bd787daa17bb6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_amd64.deb
      Size/MD5:  2693172 30ced54e4bddae466cc8a636729d4bf6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_amd64.deb
      Size/MD5:   769494 bb2132ccc55fe686417fa58fe79366d5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_amd64.deb
      Size/MD5:   903540 c38ed2ab04260cc37c861b4714a292e6

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_i386.udeb
      Size/MD5:   433190 a1d3b3d83038c4867c3bbed914a7799c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_i386.deb
      Size/MD5:  2492448 1c299b25caad322de3bbff442980d4fe
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_i386.deb
      Size/MD5:  2240404 fc002998c376102f4afef943e42921d7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_i386.deb
      Size/MD5:   900980 d7d18142b2f888fb39c68a535e1797a5

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_powerpc.udeb
      Size/MD5:   499312 344fa2d38577e134300a6c66b7501ad5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_powerpc.deb
      Size/MD5:  2774020 fa61cfb6691efb466d410868bcf70b33
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_powerpc.deb
      Size/MD5:   779142 8591771370630d0947159f20c66a7844
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_powerpc.deb
      Size/MD5:   908034 467656d782df126e20d87f28885481f7

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.diff.gz
      Size/MD5:    29528 17b8067e74c9632969ab30e99ffefc27
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.dsc
      Size/MD5:      657 5e3a343c96d5a6b6ce28ea9051b503f3
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g.orig.tar.gz
      Size/MD5:  3132217 991615f73338a571b6a1be7d74906934

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_amd64.udeb
      Size/MD5:   498774 e1caefe81d127f3f5c74abe21009d26f
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_amd64.deb
      Size/MD5:  2699040 46c0e7a3af787950ae94ecf8097e8c70
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_amd64.deb
      Size/MD5:   773056 efdf763408f1ab9e6ecbe46c2d7daabe
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_amd64.deb
      Size/MD5:   913184 7d9f78245ce33c1729a5a3ff7a5844fb

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_i386.udeb
      Size/MD5:   430626 2acb91427d4c850ebde301f7f0deac86
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_i386.deb
      Size/MD5:  2479668 6296835c4d246c67fc7c8cd38c2ef00c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_i386.deb
      Size/MD5:  2202870 9d1c03f452c3964ab9bd4054879d48f7
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_i386.deb
      Size/MD5:   904328 d6b94a9d5fbeaa792e4bb126930c82e2

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_powerpc.udeb
      Size/MD5:   476188 46bbc413275d9954a42abcc518f65a0c
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_powerpc.deb
      Size/MD5:  2655564 8b3f1df5908c9720333095c3755087cb
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_powerpc.deb
      Size/MD5:   752528 0f788b91569d512d0c9520a178fdb2fa
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_powerpc.deb
      Size/MD5:   909916 5ad57ad02371aa12f52a94cfcb433835

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ