lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080520140027.GZ12850@outflux.net>
Date: Tue, 20 May 2008 07:00:27 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-612-7] OpenSSH update

=========================================================== 
Ubuntu Security Notice USN-612-7               May 20, 2008
openssh update
CVE-2008-0166
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  openssh-server                  1:4.2p1-7ubuntu3.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-612-2 introduced protections for OpenSSH, related to the OpenSSL
vulnerabilities addressed by USN-612-1.  This update provides the
corresponding updates for OpenSSH in Ubuntu 6.06 LTS.  While the OpenSSL
in Ubuntu 6.06 is not vulnerable, this update will block weak keys
generated on systems that may have been affected themselves.

Original advisory details:

 A weakness has been discovered in the random number generator used
 by OpenSSL on Debian and Ubuntu systems.  As a result of this
 weakness, certain encryption keys are much more common than they
 should be, such that an attacker could guess the key through a
 brute-force attack given minimal knowledge of the system.  This
 particularly affects the use of encryption keys in OpenSSH, OpenVPN
 and SSL certificates.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.4.diff.gz
      Size/MD5:   182650 398d72f7b781e8e95fc087bf00fdd8d8
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1-7ubuntu3.4.dsc
      Size/MD5:     1003 9409a4fb78b08993a72b80b75c42fe35
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_4.2p1.orig.tar.gz
      Size/MD5:   928420 93295701e6bcd76fabd6a271654ed15c

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_4.2p1-7ubuntu3.4_all.deb
      Size/MD5:     1054 707ff475af54c989978b00383e5e5eb4

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.4_amd64.udeb
      Size/MD5:   166396 64f92a79d3a23aaab66122a6f6296d05
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.4_amd64.deb
      Size/MD5:   655630 2356bca8d4236579fa5b747319a2afb6
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.4_amd64.deb
      Size/MD5:   237270 050a4bc996eceb1cd82171bae109da29
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.4_amd64.deb
      Size/MD5:    87316 f2289dde21d2c4a521c69e2a8b6d83bf
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.4_amd64.udeb
      Size/MD5:   183704 fae5bee4c7713fc89f26f1b829682e6a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.4_i386.udeb
      Size/MD5:   141116 b35ffe9f7bb2b46a315c6afa39adb735
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.4_i386.deb
      Size/MD5:   576684 8b7f2699886085c58544c1ae57de2533
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.4_i386.deb
      Size/MD5:   207448 cfcf49b6dbf6c5b5bf6b2e207ec31767
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.4_i386.deb
      Size/MD5:    86956 5ec0cb596226b1b13b48387f3874791c
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.4_i386.udeb
      Size/MD5:   153746 d22536de2913597b80b518d19920e616

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.4_powerpc.udeb
      Size/MD5:   160082 b46a74f2d932afdd504b66ab8338a4a2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.4_powerpc.deb
      Size/MD5:   641064 f5a2eef8f2e15981c75da97d3b7483a5
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.4_powerpc.deb
      Size/MD5:   228264 53ee26d4852f85388c4871212b4c60ca
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.4_powerpc.deb
      Size/MD5:    88590 6f2ab1c679612b45f29f635aeef27ef3
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.4_powerpc.udeb
      Size/MD5:   168906 d1c6dee5d716a7ab367d4737d17396f8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_4.2p1-7ubuntu3.4_sparc.udeb
      Size/MD5:   150316 8d74f69f08666fde4bcad1efec13fb00
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_4.2p1-7ubuntu3.4_sparc.deb
      Size/MD5:   584014 faa90e6f4211e484480a008ea7bbe082
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_4.2p1-7ubuntu3.4_sparc.deb
      Size/MD5:   210494 59eb147b73bcfc2bcc2dfe14216ad566
    http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_4.2p1-7ubuntu3.4_sparc.deb
      Size/MD5:    86968 1ad9475a33d64780765489cafd84731a
    http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_4.2p1-7ubuntu3.4_sparc.udeb
      Size/MD5:   163226 8d3e4af7465d8d4f1b39b510f6638754


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ