lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <m1EZCJc-000ofRC@finlandia.Infodrom.North.DE> Date: Mon Nov 7 19:07:27 2005 From: joey at infodrom.org (Martin Schulze) Subject: [SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 888-1 security@...ian.org http://www.debian.org/security/ Martin Schulze November 7th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : openssl Vulnerability : cryptographic weakness Problem type : remote Debian-specific: no CVE ID : CVE-2005-2969 Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer (OpenSSL) library that can allow an attacker to perform active protocol-version rollback attacks that could lead to the use of the weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS 1.0. The following matrix explains which version in which distribution has this problem corrected. oldstable (woody) stable (sarge) unstable (sid) openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3 openssl 094 0.9.4-6.woody.4 n/a n/a openssl 095 0.9.5a-6.woody.6 n/a n/a openssl 096 n/a 0.9.6m-1sarge1 n/a openssl 097 n/a n/a 0.9.7g-5 We recommend that you upgrade your libssl packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.dsc Size/MD5 checksum: 632 0f3990f71f6773a516a413c393fc6604 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.diff.gz Size/MD5 checksum: 45527 30aa51e1f88c95e086f7918a47fe8f5c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc Architecture independent components: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.8_all.deb Size/MD5 checksum: 982 71fd036f7135cd3e68c4cf33ed7e2976 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 1551638 2f5d722aa4b7c7bd6c9908a3998b6420 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 571552 5e94a096f7569a2e18f82a697908d230 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_alpha.deb Size/MD5 checksum: 736780 2f964e236883e2c8ed7ad2d28ed2bc6b ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 1358314 c2f4acf9994dd42ae0373c34163b6a96 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 474348 bc3950a119bd05ab4602fc1aae42f6c0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_arm.deb Size/MD5 checksum: 730164 c5cc5638fb9ca1583cc23602b61a6dc7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 1289480 0d32fea022a7896b321d673a9138c90f http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 461972 970aa086b6758741b4cbbf32e94572a1 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_i386.deb Size/MD5 checksum: 717322 88a3bcb5d1b4330fb25c95b5c7f95bd3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 1615580 e66ad48cf480c87a965cad2dadde3074 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 711412 a7ff065df8383c36ee0e265d889df450 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_ia64.deb Size/MD5 checksum: 763808 a62f8d33db6e9bc3e770dfd3f23fe70f HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_hppa.deb Size/MD5 checksum: 1435394 5d5be2d74a8035fdee039237f93ad267 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_hppa.deb Size/MD5 checksum: 565228 aa3bfa3d333195f59b637d434cc0e4d7 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_hppa.deb Size/MD5 checksum: 742192 51644d86e15c7bac4d005e57881c6627 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_m68k.deb Size/MD5 checksum: 1266800 9973441879b98558d95904e0f2798f7c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_m68k.deb Size/MD5 checksum: 450948 7f7199530678b922e3b9499a9e3c9107 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_m68k.deb Size/MD5 checksum: 720758 87053610447971c8923160df9ae48304 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mips.deb Size/MD5 checksum: 1415426 5a9625c92cdf9f54f532806278cf7b71 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mips.deb Size/MD5 checksum: 483940 4c322f1697e1cd5c701b8870417d5604 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mips.deb Size/MD5 checksum: 717966 8ce534b83ec7fc69878fbb032562db7f Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mipsel.deb Size/MD5 checksum: 1409820 335f3bfc4afadc7099dd81ca655f43ab http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mipsel.deb Size/MD5 checksum: 476994 4e51fa71c3feb9871eae6d3620d97a88 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mipsel.deb Size/MD5 checksum: 717282 74f673dc3d93ab31316c266647e236f8 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_powerpc.deb Size/MD5 checksum: 1387860 8c150c04059434d276d9be72e60a33d5 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_powerpc.deb Size/MD5 checksum: 502762 bc0b6913643d3a49410b2e8b991a2612 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_powerpc.deb Size/MD5 checksum: 727200 942fccc855f790681ff55792595a0e9e IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_s390.deb Size/MD5 checksum: 1326764 f0e3604fd60501387dd64d147ed2b399 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_s390.deb Size/MD5 checksum: 510774 4720d8b0c5b4a4989941af6af448f1c8 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_s390.deb Size/MD5 checksum: 731906 e087d1292d906a027bd18f8ba64bcaa7 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_sparc.deb Size/MD5 checksum: 1344478 462215d04cdc46df9d3c30ca9809ad0c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_sparc.deb Size/MD5 checksum: 485082 d5bf47809f860074a30d1925ec260471 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_sparc.deb Size/MD5 checksum: 737538 bd16a927946e42e9388c10c6caab2471 Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.dsc Size/MD5 checksum: 639 1d4fe852d85c23ee4befe3b69ad11f42 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.diff.gz Size/MD5 checksum: 27134 40b781ed5e9b5da015d3d17621378c75 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474 Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_alpha.deb Size/MD5 checksum: 3339042 08256d8f24f46888c8d851e7a7717d03 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_alpha.deb Size/MD5 checksum: 2445184 1c9cfeaa0af4cfe1e412342afb315028 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_alpha.deb Size/MD5 checksum: 929866 89c795ae3258886e24dc3c05b0317c0d AMD64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_amd64.deb Size/MD5 checksum: 2693256 1c9d25d3ca61d64cc55cefbd53543984 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_amd64.deb Size/MD5 checksum: 769270 444bbc7046101472d4a0d918e258c15c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_amd64.deb Size/MD5 checksum: 903332 901d18551ad23f7c95489589aecc9394 ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_arm.deb Size/MD5 checksum: 2554838 9da71c016a4c19c4766022b75b6c9b1c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_arm.deb Size/MD5 checksum: 689386 9d607bbe307f6b050865cdccee0e8b2b http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_arm.deb Size/MD5 checksum: 893800 fb067120630f9638363b8ee7fd133110 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_i386.deb Size/MD5 checksum: 2551894 c9a047ff0bb105d5dbf150370746044a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_i386.deb Size/MD5 checksum: 2262314 ecd5cfaa6085cdd73f15ffff1e2780a9 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_i386.deb Size/MD5 checksum: 902214 eb49dbdd0b9bc19342000833eafc422a Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_ia64.deb Size/MD5 checksum: 3394806 d165b3284eab212f0a90c3d7aa9d274c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_ia64.deb Size/MD5 checksum: 1037634 6901a41b294cc7446a5d8b36037fb09c http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_ia64.deb Size/MD5 checksum: 974704 3bd5964f5a7543e3ed589584362ab5b5 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_hppa.deb Size/MD5 checksum: 2695182 889bafc3edbc895e4abeb548e16a2218 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_hppa.deb Size/MD5 checksum: 790356 cda81a66041c3948d0b04a811fd5e78f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_hppa.deb Size/MD5 checksum: 914154 e06f637b72ad3ef60f9bd1dcafd28b1f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_m68k.deb Size/MD5 checksum: 2316264 22c140d007c3ae174925621468a39cb1 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_m68k.deb Size/MD5 checksum: 661018 7f67414f0791fc985541378bb55dc7bb http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_m68k.deb Size/MD5 checksum: 889428 22cb29e59ffcbae25cea4db0d27115ad Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mips.deb Size/MD5 checksum: 2778266 f467fff7ed6cbefbc672dd7751473596 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mips.deb Size/MD5 checksum: 705794 9a63ff8605fd3f2759e78a9a8081d478 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mips.deb Size/MD5 checksum: 896400 f1e1f16d6b5857a4bce14ca8bd5bc736 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mipsel.deb Size/MD5 checksum: 2765942 34c72af7ae700c9583a11c3044f942d4 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mipsel.deb Size/MD5 checksum: 693754 0052d22ab3dafb44b5fbd7978d83a814 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mipsel.deb Size/MD5 checksum: 895542 0901349aab6ab6231b530475b4669ea6 PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_powerpc.deb Size/MD5 checksum: 2775598 1f2e461d360e3cc8e33d5cd866f9e1d0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_powerpc.deb Size/MD5 checksum: 778892 ddd9238eafb70e31b4fb991909a5bdb8 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_powerpc.deb Size/MD5 checksum: 908056 5f601e19f91dcdc08541277a42592d5a IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_s390.deb Size/MD5 checksum: 2716890 7aa32958f3d1631ac8774ce26ed718f0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_s390.deb Size/MD5 checksum: 813422 bc2cffe3bcac2ac971d3cbaf7f3e02ea http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_s390.deb Size/MD5 checksum: 918200 a2d0be567be281c9e6af34fd49c89ec8 Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_sparc.deb Size/MD5 checksum: 2629110 35c2e695c12fd379bfa100347f0641b2 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_sparc.deb Size/MD5 checksum: 1883990 b432d0bfa5408215a68fc3260e5c3f4a http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_sparc.deb Size/MD5 checksum: 924138 203d2f9a8068fb193a72d610df41f045 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@...ts.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDb6WYW5ql+IAeqTIRAndKAKCY/Z75nPw5qoUyYOxpZJ+ZIDILGgCdG7Ax lDSy3Jp+mIrO7gTkO6Tu9os= =GJdK -----END PGP SIGNATURE-----