lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <m1EZCJc-000ofRC__14625.6780172282$1131400246$gmane$org@finlandia.Infodrom.North.DE>
Date: Mon, 7 Nov 2005 20:06:00 +0100 (CET)
From: joey@...odrom.org (Martin Schulze)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 888-1                     security@...ian.org
http://www.debian.org/security/                             Martin Schulze
November 7th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : openssl
Vulnerability  : cryptographic weakness
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2005-2969

Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.

The following matrix explains which version in which distribution has
this problem corrected.

                oldstable (woody)      stable (sarge)     unstable (sid)
openssl          0.9.6c-2.woody.8       0.9.7e-3sarge1      0.9.8-3
openssl 094      0.9.4-6.woody.4             n/a              n/a
openssl 095      0.9.5a-6.woody.6            n/a              n/a
openssl 096           n/a               0.9.6m-1sarge1        n/a
openssl 097           n/a                    n/a            0.9.7g-5

We recommend that you upgrade your libssl packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.dsc
      Size/MD5 checksum:      632 0f3990f71f6773a516a413c393fc6604
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.diff.gz
      Size/MD5 checksum:    45527 30aa51e1f88c95e086f7918a47fe8f5c
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc

  Architecture independent components:

    http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.8_all.deb
      Size/MD5 checksum:      982 71fd036f7135cd3e68c4cf33ed7e2976

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_alpha.deb
      Size/MD5 checksum:  1551638 2f5d722aa4b7c7bd6c9908a3998b6420
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_alpha.deb
      Size/MD5 checksum:   571552 5e94a096f7569a2e18f82a697908d230
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_alpha.deb
      Size/MD5 checksum:   736780 2f964e236883e2c8ed7ad2d28ed2bc6b

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_arm.deb
      Size/MD5 checksum:  1358314 c2f4acf9994dd42ae0373c34163b6a96
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_arm.deb
      Size/MD5 checksum:   474348 bc3950a119bd05ab4602fc1aae42f6c0
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_arm.deb
      Size/MD5 checksum:   730164 c5cc5638fb9ca1583cc23602b61a6dc7

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_i386.deb
      Size/MD5 checksum:  1289480 0d32fea022a7896b321d673a9138c90f
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_i386.deb
      Size/MD5 checksum:   461972 970aa086b6758741b4cbbf32e94572a1
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_i386.deb
      Size/MD5 checksum:   717322 88a3bcb5d1b4330fb25c95b5c7f95bd3

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_ia64.deb
      Size/MD5 checksum:  1615580 e66ad48cf480c87a965cad2dadde3074
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_ia64.deb
      Size/MD5 checksum:   711412 a7ff065df8383c36ee0e265d889df450
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_ia64.deb
      Size/MD5 checksum:   763808 a62f8d33db6e9bc3e770dfd3f23fe70f

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_hppa.deb
      Size/MD5 checksum:  1435394 5d5be2d74a8035fdee039237f93ad267
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_hppa.deb
      Size/MD5 checksum:   565228 aa3bfa3d333195f59b637d434cc0e4d7
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_hppa.deb
      Size/MD5 checksum:   742192 51644d86e15c7bac4d005e57881c6627

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_m68k.deb
      Size/MD5 checksum:  1266800 9973441879b98558d95904e0f2798f7c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_m68k.deb
      Size/MD5 checksum:   450948 7f7199530678b922e3b9499a9e3c9107
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_m68k.deb
      Size/MD5 checksum:   720758 87053610447971c8923160df9ae48304

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mips.deb
      Size/MD5 checksum:  1415426 5a9625c92cdf9f54f532806278cf7b71
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mips.deb
      Size/MD5 checksum:   483940 4c322f1697e1cd5c701b8870417d5604
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mips.deb
      Size/MD5 checksum:   717966 8ce534b83ec7fc69878fbb032562db7f

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mipsel.deb
      Size/MD5 checksum:  1409820 335f3bfc4afadc7099dd81ca655f43ab
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mipsel.deb
      Size/MD5 checksum:   476994 4e51fa71c3feb9871eae6d3620d97a88
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mipsel.deb
      Size/MD5 checksum:   717282 74f673dc3d93ab31316c266647e236f8

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_powerpc.deb
      Size/MD5 checksum:  1387860 8c150c04059434d276d9be72e60a33d5
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_powerpc.deb
      Size/MD5 checksum:   502762 bc0b6913643d3a49410b2e8b991a2612
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_powerpc.deb
      Size/MD5 checksum:   727200 942fccc855f790681ff55792595a0e9e

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_s390.deb
      Size/MD5 checksum:  1326764 f0e3604fd60501387dd64d147ed2b399
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_s390.deb
      Size/MD5 checksum:   510774 4720d8b0c5b4a4989941af6af448f1c8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_s390.deb
      Size/MD5 checksum:   731906 e087d1292d906a027bd18f8ba64bcaa7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_sparc.deb
      Size/MD5 checksum:  1344478 462215d04cdc46df9d3c30ca9809ad0c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_sparc.deb
      Size/MD5 checksum:   485082 d5bf47809f860074a30d1925ec260471
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_sparc.deb
      Size/MD5 checksum:   737538 bd16a927946e42e9388c10c6caab2471


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.dsc
      Size/MD5 checksum:      639 1d4fe852d85c23ee4befe3b69ad11f42
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.diff.gz
      Size/MD5 checksum:    27134 40b781ed5e9b5da015d3d17621378c75
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
      Size/MD5 checksum:  3043231 a8777164bca38d84e5eb2b1535223474

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_alpha.deb
      Size/MD5 checksum:  3339042 08256d8f24f46888c8d851e7a7717d03
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_alpha.deb
      Size/MD5 checksum:  2445184 1c9cfeaa0af4cfe1e412342afb315028
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_alpha.deb
      Size/MD5 checksum:   929866 89c795ae3258886e24dc3c05b0317c0d

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_amd64.deb
      Size/MD5 checksum:  2693256 1c9d25d3ca61d64cc55cefbd53543984
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_amd64.deb
      Size/MD5 checksum:   769270 444bbc7046101472d4a0d918e258c15c
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_amd64.deb
      Size/MD5 checksum:   903332 901d18551ad23f7c95489589aecc9394

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_arm.deb
      Size/MD5 checksum:  2554838 9da71c016a4c19c4766022b75b6c9b1c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_arm.deb
      Size/MD5 checksum:   689386 9d607bbe307f6b050865cdccee0e8b2b
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_arm.deb
      Size/MD5 checksum:   893800 fb067120630f9638363b8ee7fd133110

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_i386.deb
      Size/MD5 checksum:  2551894 c9a047ff0bb105d5dbf150370746044a
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_i386.deb
      Size/MD5 checksum:  2262314 ecd5cfaa6085cdd73f15ffff1e2780a9
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_i386.deb
      Size/MD5 checksum:   902214 eb49dbdd0b9bc19342000833eafc422a

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_ia64.deb
      Size/MD5 checksum:  3394806 d165b3284eab212f0a90c3d7aa9d274c
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_ia64.deb
      Size/MD5 checksum:  1037634 6901a41b294cc7446a5d8b36037fb09c
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_ia64.deb
      Size/MD5 checksum:   974704 3bd5964f5a7543e3ed589584362ab5b5

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_hppa.deb
      Size/MD5 checksum:  2695182 889bafc3edbc895e4abeb548e16a2218
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_hppa.deb
      Size/MD5 checksum:   790356 cda81a66041c3948d0b04a811fd5e78f
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_hppa.deb
      Size/MD5 checksum:   914154 e06f637b72ad3ef60f9bd1dcafd28b1f

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_m68k.deb
      Size/MD5 checksum:  2316264 22c140d007c3ae174925621468a39cb1
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_m68k.deb
      Size/MD5 checksum:   661018 7f67414f0791fc985541378bb55dc7bb
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_m68k.deb
      Size/MD5 checksum:   889428 22cb29e59ffcbae25cea4db0d27115ad

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mips.deb
      Size/MD5 checksum:  2778266 f467fff7ed6cbefbc672dd7751473596
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mips.deb
      Size/MD5 checksum:   705794 9a63ff8605fd3f2759e78a9a8081d478
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mips.deb
      Size/MD5 checksum:   896400 f1e1f16d6b5857a4bce14ca8bd5bc736

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mipsel.deb
      Size/MD5 checksum:  2765942 34c72af7ae700c9583a11c3044f942d4
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mipsel.deb
      Size/MD5 checksum:   693754 0052d22ab3dafb44b5fbd7978d83a814
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mipsel.deb
      Size/MD5 checksum:   895542 0901349aab6ab6231b530475b4669ea6

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_powerpc.deb
      Size/MD5 checksum:  2775598 1f2e461d360e3cc8e33d5cd866f9e1d0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_powerpc.deb
      Size/MD5 checksum:   778892 ddd9238eafb70e31b4fb991909a5bdb8
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_powerpc.deb
      Size/MD5 checksum:   908056 5f601e19f91dcdc08541277a42592d5a

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_s390.deb
      Size/MD5 checksum:  2716890 7aa32958f3d1631ac8774ce26ed718f0
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_s390.deb
      Size/MD5 checksum:   813422 bc2cffe3bcac2ac971d3cbaf7f3e02ea
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_s390.deb
      Size/MD5 checksum:   918200 a2d0be567be281c9e6af34fd49c89ec8

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_sparc.deb
      Size/MD5 checksum:  2629110 35c2e695c12fd379bfa100347f0641b2
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_sparc.deb
      Size/MD5 checksum:  1883990 b432d0bfa5408215a68fc3260e5c3f4a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_sparc.deb
      Size/MD5 checksum:   924138 203d2f9a8068fb193a72d610df41f045


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDb6WYW5ql+IAeqTIRAndKAKCY/Z75nPw5qoUyYOxpZJ+ZIDILGgCdG7Ax
lDSy3Jp+mIrO7gTkO6Tu9os=
=GJdK
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ