lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080613002044.GB6910@severus.strandboge.com>
Date: Thu, 12 Jun 2008 20:20:44 -0400
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-612-10] OpenVPN regression

=========================================================== 
Ubuntu Security Notice USN-612-10              June 12, 2008
openvpn regression
https://launchpad.net/bugs/230197
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  openvpn                         2.0.9-5ubuntu0.3

Ubuntu 7.10:
  openvpn                         2.0.9-8ubuntu0.3

Ubuntu 8.04 LTS:
  openvpn                         2.1~rc7-1ubuntu3.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-612-3 addressed a weakness in OpenSSL certificate and key
generation in OpenVPN by adding checks for vulnerable certificates
and keys to OpenVPN. A regression was introduced in OpenVPN when
using TLS with password protected certificates which caused OpenVPN
to not start when used with applications such as NetworkManager.

Original advisory details:
 A weakness has been discovered in the random number generator used
 by OpenSSL on Debian and Ubuntu systems. As a result of this
 weakness, certain encryption keys are much more common than they
 should be, such that an attacker could guess the key through a
 brute-force attack given minimal knowledge of the system. This
 particularly affects the use of encryption keys in OpenSSH, OpenVPN
 and SSL certificates.


Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3.diff.gz
      Size/MD5:    61721 95f9cbc60c026db52ebf698e36832e29
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3.dsc
      Size/MD5:      641 253b8e4ccbb5e11ba1dba9d37a1265b9
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz
      Size/MD5:   669076 60745008b90b7dbe25fe8337c550fec6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3_amd64.deb
      Size/MD5:   357046 075f4a00b8aff7049b4f23baced068da

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3_i386.deb
      Size/MD5:   337798 4fee6672cb6db4d0be228b644d129d29

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3_powerpc.deb
      Size/MD5:   358528 2658d5751bdc4ee25e5bd3d432c4b2bd

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.3_sparc.deb
      Size/MD5:   336722 755f9f120f5014794f8f0cec49d9203b

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3.diff.gz
      Size/MD5:    65179 ae182aa5b68b9f9d4bddd47859cf0ced
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3.dsc
      Size/MD5:      642 9a58ebc70f0aff036c8e7acc56e83be7
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz
      Size/MD5:   669076 60745008b90b7dbe25fe8337c550fec6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3_amd64.deb
      Size/MD5:   362566 303b259e514cf777b08e7676be5d7ab0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3_i386.deb
      Size/MD5:   342222 73ed9392ce7b00c92e8505dcf3d80f79

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3_lpia.deb
      Size/MD5:   343666 581fdfb7e7d9131926fa55570c96edf0

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3_powerpc.deb
      Size/MD5:   363846 b5068afe9083e4fcc963bf4bae298615

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.3_sparc.deb
      Size/MD5:   342108 712cf75f7edb5cc59db0ff5ac969f9bf

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3.diff.gz
      Size/MD5:    36156 527fa8ebcad65f1cbd130703e134361f
    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3.dsc
      Size/MD5:      646 90f272f803fa6e34cd54422b9eac0064
    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7.orig.tar.gz
      Size/MD5:   786288 dac8b5104b5eb105ba82b2525d371d58

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3_amd64.deb
      Size/MD5:   391374 8783a3d6b5be5469fc0a22e7575cfcbb

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3_i386.deb
      Size/MD5:   372674 8e9bd7bb9dc9bc0a8538bb5164a627fa

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3_lpia.deb
      Size/MD5:   371686 1b0ee05b907c04d0ce8606c5fecb9f23

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3_powerpc.deb
      Size/MD5:   392054 10c3c48b5060c6071c644a5c29b3dd0e

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.3_sparc.deb
      Size/MD5:   369536 ab9b17960fdc3df59c3cfe61f667bca7



Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ