lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <alpine.LNX.2.02.1507091216420.7403@connie.slackware.com>
Date: Thu, 9 Jul 2015 12:17:02 -0700 (PDT)
From: Slackware Security Team <security@...ckware.com>
To: slackware-security@...ckware.com
Subject: [slackware-security]  openssl (SSA:2015-190-01)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  openssl (SSA:2015-190-01)

New openssl packages are available for Slackware 14.0, 14.1, and -current to
fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.1p-i486-1_slack14.1.txz:  Upgraded.
  This update fixes the following security issue:
  Alternative chains certificate forgery (CVE-2015-1793).
  During certificate verification, OpenSSL (starting from version 1.0.1n and
  1.0.2b) will attempt to find an alternative certificate chain if the first
  attempt to build such a chain fails.  An error in the implementation of this
  logic can mean that an attacker could cause certain checks on untrusted
  certificates to be bypassed, such as the CA flag, enabling them to use a
  valid leaf certificate to act as a CA and "issue" an invalid certificate.
  This issue will impact any application that verifies certificates including
  SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
  This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David
  Benjamin (Google/BoringSSL).  The fix was developed by the BoringSSL project.
  For more information, see:
    https://openssl.org/news/secadv_20150709.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
  (* Security fix *)
patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.1.txz:  Upgraded.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1p-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.0.txz

Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1p-x86_64-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1p-x86_64-1_slack14.0.txz

Updated packages for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1p-i486-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1p-i486-1_slack14.1.txz

Updated packages for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1p-x86_64-1_slack14.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1p-x86_64-1_slack14.1.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1p-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1p-i586-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1p-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1p-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.0 packages:
a77913257d9e4d9f0b143e7c2bf829d3  openssl-1.0.1p-i486-1_slack14.0.txz
9d778b2df5c01be05c5133d3c420a216  openssl-solibs-1.0.1p-i486-1_slack14.0.txz

Slackware x86_64 14.0 packages:
1423b29d8621434363fcd92480544d19  openssl-1.0.1p-x86_64-1_slack14.0.txz
e510fd37b65ab9b585f505c3b8925755  openssl-solibs-1.0.1p-x86_64-1_slack14.0.txz

Slackware 14.1 packages:
483c52a8f52243486db12c6a85e59ad3  openssl-1.0.1p-i486-1_slack14.1.txz
a2704397b9eabd509336dedfe1b51ff3  openssl-solibs-1.0.1p-i486-1_slack14.1.txz

Slackware x86_64 14.1 packages:
2a4b0b930a7513a24a719f9996c3cd5d  openssl-1.0.1p-x86_64-1_slack14.1.txz
3414a0e114c93ac4352938f182df5180  openssl-solibs-1.0.1p-x86_64-1_slack14.1.txz

Slackware -current packages:
a867679d8f4a29a7b206930840d8c92f  a/openssl-solibs-1.0.1p-i586-1.txz
1e28db3e77d547ef338c7116cf8d415f  n/openssl-1.0.1p-i586-1.txz

Slackware x86_64 -current packages:
f53454dd43f9d3206db58b9cd8b4e53e  a/openssl-solibs-1.0.1p-x86_64-1.txz
4433713b6723a0715dc60d1254ee2ca3  n/openssl-1.0.1p-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg openssl-1.0.1p-i486-1_slack14.1.txz openssl-solibs-1.0.1p-i486-1_slack14.1.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@...ckware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@...ckware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlWev7AACgkQakRjwEAQIjPrkACeIsFq4s2VpOM2+MdDvYYd8ZCG
E6kAn16/wtAGCwnLPlsLBP5rjOwteURt
=a8sE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ