[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.02.1507091216420.7403@connie.slackware.com>
Date: Thu, 9 Jul 2015 12:17:02 -0700 (PDT)
From: Slackware Security Team <security@...ckware.com>
To: slackware-security@...ckware.com
Subject: [slackware-security] openssl (SSA:2015-190-01)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] openssl (SSA:2015-190-01)
New openssl packages are available for Slackware 14.0, 14.1, and -current to
fix a security issue.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.1p-i486-1_slack14.1.txz: Upgraded.
This update fixes the following security issue:
Alternative chains certificate forgery (CVE-2015-1793).
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a
valid leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project.
For more information, see:
https://openssl.org/news/secadv_20150709.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
(* Security fix *)
patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.1.txz: Upgraded.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1p-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.0.txz
Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1p-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1p-x86_64-1_slack14.0.txz
Updated packages for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1p-i486-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.1.txz
Updated packages for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1p-x86_64-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1p-x86_64-1_slack14.1.txz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1p-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1p-i586-1.txz
Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1p-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1p-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.0 packages:
a77913257d9e4d9f0b143e7c2bf829d3 openssl-1.0.1p-i486-1_slack14.0.txz
9d778b2df5c01be05c5133d3c420a216 openssl-solibs-1.0.1p-i486-1_slack14.0.txz
Slackware x86_64 14.0 packages:
1423b29d8621434363fcd92480544d19 openssl-1.0.1p-x86_64-1_slack14.0.txz
e510fd37b65ab9b585f505c3b8925755 openssl-solibs-1.0.1p-x86_64-1_slack14.0.txz
Slackware 14.1 packages:
483c52a8f52243486db12c6a85e59ad3 openssl-1.0.1p-i486-1_slack14.1.txz
a2704397b9eabd509336dedfe1b51ff3 openssl-solibs-1.0.1p-i486-1_slack14.1.txz
Slackware x86_64 14.1 packages:
2a4b0b930a7513a24a719f9996c3cd5d openssl-1.0.1p-x86_64-1_slack14.1.txz
3414a0e114c93ac4352938f182df5180 openssl-solibs-1.0.1p-x86_64-1_slack14.1.txz
Slackware -current packages:
a867679d8f4a29a7b206930840d8c92f a/openssl-solibs-1.0.1p-i586-1.txz
1e28db3e77d547ef338c7116cf8d415f n/openssl-1.0.1p-i586-1.txz
Slackware x86_64 -current packages:
f53454dd43f9d3206db58b9cd8b4e53e a/openssl-solibs-1.0.1p-x86_64-1.txz
4433713b6723a0715dc60d1254ee2ca3 n/openssl-1.0.1p-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg openssl-1.0.1p-i486-1_slack14.1.txz openssl-solibs-1.0.1p-i486-1_slack14.1.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@...ckware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@...ckware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlWev7AACgkQakRjwEAQIjPrkACeIsFq4s2VpOM2+MdDvYYd8ZCG
E6kAn16/wtAGCwnLPlsLBP5rjOwteURt
=a8sE
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists