lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Oct 14 09:03:53 2005
From: martin.pitt at (Martin Pitt)
Subject: [USN-204-1] SSL library vulnerability

Ubuntu Security Notice USN-204-1	   October 14, 2005
openssl vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:


The problem can be corrected by upgrading the affected package to
version 0.9.7d-3ubuntu0.3 (for Ubuntu 4.10), 0.9.7e-3ubuntu0.2 (for
Ubuntu 5.04), or 0.9.7g-1ubuntu1.1 (for Ubuntu 5.10). Since the SSL
library is used by a lot of server and desktop applications, you
should restart your computer after a standard system upgrade to ensure
that all programs use the new library.

Details follow:

Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL
applications. Applications using the OpenSSL library can use the
SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the
former) to maintain compatibility with third party products, which is
achieved by working around known bugs in them.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option disabled a verification step
in the SSL 2.0 server supposed to prevent active protocol-version
rollback attacks.  With this verification step disabled, an attacker
acting as a "man in the middle" could force a client and a server to
negotiate the SSL 2.0 protocol even if these parties both supported
SSL 3.0 or TLS 1.0.  The SSL 2.0 protocol is known to have severe
cryptographic weaknesses and is supported as a fallback only.

Updated packages for Ubuntu 4.10:

  Source archives:
      Size/MD5:    26336 8c653140c8bb55141682f61b2c7ee0c4
      Size/MD5:      636 814be379aed42cf28e5e1714eacb5dea
      Size/MD5:  2799796 533b7f758325d74c1e01e67994e3ae59

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  2676878 d46f388edf90aac95110357c4c7fb41e
      Size/MD5:   697176 dfb423bccdf95e0251566c86747519ba
      Size/MD5:   900108 5c62807221f03ec34aafe8753362d1dc

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  2477644 9a6282952a58a0d963ea12dd80626305
      Size/MD5:  2153208 e49463b1a3ae79e586ebf522ed5d5ac1
      Size/MD5:   898780 ab5e0af7e6687f1ed7ad943c2a7edc00

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  2759254 aa0ad1ec7ccdcab984c33f34ae04013d
      Size/MD5:   700982 d6bdb5e4c7b427278a5f6dd7115047e4
      Size/MD5:   904618 18578a43604449f15794852b32c55c9a

Updated packages for Ubuntu 5.04:

  Source archives:
      Size/MD5:    28853 653177acb3126d83a75863fef01f7618
      Size/MD5:      645 71ab340d8a9c5e09398fc5cae8b8f3a5
      Size/MD5:  3043231 a8777164bca38d84e5eb2b1535223474

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:   495074 4aee5a5c1ea16cb37e4bd787daa17bb6
      Size/MD5:  2693172 30ced54e4bddae466cc8a636729d4bf6
      Size/MD5:   769494 bb2132ccc55fe686417fa58fe79366d5
      Size/MD5:   903540 c38ed2ab04260cc37c861b4714a292e6

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:   433190 a1d3b3d83038c4867c3bbed914a7799c
      Size/MD5:  2492448 1c299b25caad322de3bbff442980d4fe
      Size/MD5:  2240404 fc002998c376102f4afef943e42921d7
      Size/MD5:   900980 d7d18142b2f888fb39c68a535e1797a5

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:   499312 344fa2d38577e134300a6c66b7501ad5
      Size/MD5:  2774020 fa61cfb6691efb466d410868bcf70b33
      Size/MD5:   779142 8591771370630d0947159f20c66a7844
      Size/MD5:   908034 467656d782df126e20d87f28885481f7

Updated packages for Ubuntu 5.10:

  Source archives:
      Size/MD5:    29528 17b8067e74c9632969ab30e99ffefc27
      Size/MD5:      657 5e3a343c96d5a6b6ce28ea9051b503f3
      Size/MD5:  3132217 991615f73338a571b6a1be7d74906934

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:   498774 e1caefe81d127f3f5c74abe21009d26f
      Size/MD5:  2699040 46c0e7a3af787950ae94ecf8097e8c70
      Size/MD5:   773056 efdf763408f1ab9e6ecbe46c2d7daabe
      Size/MD5:   913184 7d9f78245ce33c1729a5a3ff7a5844fb

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:   430626 2acb91427d4c850ebde301f7f0deac86
      Size/MD5:  2479668 6296835c4d246c67fc7c8cd38c2ef00c
      Size/MD5:  2202870 9d1c03f452c3964ab9bd4054879d48f7
      Size/MD5:   904328 d6b94a9d5fbeaa792e4bb126930c82e2

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:   476188 46bbc413275d9954a42abcc518f65a0c
      Size/MD5:  2655564 8b3f1df5908c9720333095c3755087cb
      Size/MD5:   752528 0f788b91569d512d0c9520a178fdb2fa
      Size/MD5:   909916 5ad57ad02371aa12f52a94cfcb433835
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :

Powered by blists - more mailing lists