• moderiert von:
  • Forenmoderatoren
Zum aktuellsten Beitrag
fwd: [security] [dsa 1571-1] new openssl packages fix predictable random number generator
  • verfasst: 15.05.2008, 15:00
     
    registriert:
     November 2007
    Status:
    offline
    letzter Besuch:
    21.08.08
    Beiträge:
    2474
    Absender: steffen joeris
    1. --nextPart5361319.aFJ8IsXsbN
    2. Content-Type: text/plain;
    3.   charset="iso-8859-1"
    4. Content-Transfer-Encoding: quoted-printable
    5. Content-Disposition: inline
    6.  
    7. This vulnerable also affects Debian-Edu/Skolelinux in a major way.
    8. Please read it carefully and follow the instructions below.
    9.  
    10. =2D---------  Forwarded Message  ----------
    11.  
    12. Subject: [SECURITY] [DSA 1571-1] New openssl packages fix predictable rando=
    13. m=20
    14. number generator
    15. Date: Tue, 13 May 2008
    16. =46rom: Florian Weimer <fw@deneb.enyo.de>
    17. To: debian-security-announce@lists.debian.org
    18.  
    19. =2D----BEGIN PGP SIGNED MESSAGE-----
    20. Hash: SHA1
    21.  
    22. =2D ------------------------------------------------------------------------
    23. Debian Security Advisory DSA-1571-1                  security@debian.org
    24. http://www.debian.org/security/                           Florian Weimer
    25. May 13, 2008                          http://www.debian.org/security/faq
    26. =2D ------------------------------------------------------------------------
    27.  
    28. Package        : openssl
    29. Vulnerability  : predictable random number generator
    30. Problem type   : remote
    31. Debian-specific: yes
    32. CVE Id(s)      : CVE-2008-0166
    33.  
    34. Luciano Bello discovered that the random number generator in Debian's
    35. openssl package is predictable.  This is caused by an incorrect
    36. Debian-specific change to the openssl package (CVE-2008-0166).  As a
    37. result, cryptographic key material may be guessable.
    38.  
    39. This is a Debian-specific vulnerability which does not affect other
    40. operating systems which are not based on Debian.  However, other systems
    41. can be indirectly affected if weak keys are imported into them.
    42.  
    43. It is strongly recommended that all cryptographic key material which has
    44. been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
    45. systems is recreated from scratch.  Furthermore, all DSA keys ever used
    46. on affected Debian systems for signing or authentication purposes should
    47. be considered compromised; the Digital Signature Algorithm relies on a
    48. secret random value used during signature generation.
    49.  
    50. The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
    51. distribution on 2006-09-17, and has since propagated to the testing and
    52. current stable (etch) distributions.  The old stable distribution
    53. (sarge) is not affected.
    54.  
    55. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
    56. material for use in X.509 certificates and session keys used in SSL/TLS
    57. connections.  Keys generated with GnuPG or GNUTLS are not affected,
    58. though.
    59.  
    60. A detector for known weak key material will be published at:
    61.  
    62.   <http://security.debian.org/project/extra/dowkd/dowkd.pl.gz>
    63.   <http://security.debian.org/project/extra/dowkd/dowkd.pl.gz.asc>
    64.     (OpenPGP signature)
    65.  
    66. Instructions how to implement key rollover for various packages will be
    67. published at:
    68.  
    69.   <http://www.debian.org/security/key-rollover/>
    70.  
    71. This web site will be continously updated to reflect new and updated
    72. instructions on key rollovers for packages using SSL certificates.
    73. Popular packages not affected will also be listed.
    74.  
    75. In addition to this critical change, two other vulnerabilities have been
    76. fixed in the openssl package which were originally scheduled for release
    77. with the next etch point release: OpenSSL's DTLS (Datagram TLS,
    78. basically "SSL over UDP") implementation did not actually implement the
    79. DTLS specification, but a potentially much weaker protocol, and
    80. contained a vulnerability permitting arbitrary code execution
    81. (CVE-2007-4995).  A side channel attack in the integer multiplication
    82. routines is also addressed (CVE-2007-3108).
    83.  
    84. =46or the stable distribution (etch), these problems have been fixed in
    85. version 0.9.8c-4etch3.
    86.  
    87. =46or the unstable distribution (sid) and the testing distribution
    88. (lenny), these problems have been fixed in version 0.9.8g-9.
    89.  
    90. We recommend that you upgrade your openssl package and subsequently
    91. regenerate any cryptographic material, as outlined above.
    92.  
    93. Upgrade instructions
    94. =2D --------------------
    95.  
    96. wget url
    97.         will fetch the file for you
    98. dpkg -i file.deb
    99.         will install the referenced file.
    100.  
    101. If you are using the apt-get package manager, use the line for
    102. sources.list as given below:
    103.  
    104. apt-get update
    105.         will update the internal database
    106. apt-get upgrade
    107.         will install corrected packages
    108.  
    109. You may use an automated update by adding the resources from the
    110. footer to the proper configuration.
    111.  
    112.  
    113. Debian GNU/Linux 4.0 alias etch
    114. =2D -------------------------------
    115.  
    116. Source archives:
    117.  
    118.  =20
    119. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    120. 3.dsc
    121.     Size/MD5 checksum:     1099 5e60a893c9c3258669845b0a56d9d9d6
    122.  =20
    123. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.=
    124. tar.gz
    125.     Size/MD5 checksum:  3313857 78454bec556bcb4c45129428a766c886
    126.  =20
    127. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    128. 3.diff.gz
    129.     Size/MD5 checksum:    55320 f0e457d6459255da86f388dcf695ee20
    130.  
    131. alpha architecture (DEC Alpha)
    132.  
    133.  =20
    134. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    135. 3_alpha.deb
    136.     Size/MD5 checksum:  1025954 d82f535b49f8c56aa2135f2fa52e7059
    137.  =20
    138. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    139. 8c-4etch3_alpha.deb
    140.     Size/MD5 checksum:  4558230 399adb0f2c7faa51065d4977a7f3b3c4
    141.  =20
    142. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    143. etch3_alpha.deb
    144.     Size/MD5 checksum:  2620892 0e5efdec0a912c5ae56bb7c5d5d896c6
    145.  =20
    146. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    147. tch3_alpha.deb
    148.     Size/MD5 checksum:  2561650 affe364ebcabc2aa33ae8b8c3f797b5e
    149.  =20
    150. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    151. 0.9.8c-4etch3_alpha.udeb
    152.     Size/MD5 checksum:   677172 5228d266c1fc742181239019dbad4c42
    153.  
    154. amd64 architecture (AMD x86_64 (AMD64))
    155.  
    156.  =20
    157. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    158. 8c-4etch3_amd64.deb
    159.     Size/MD5 checksum:  1654902 d8ad8dc51449cf6db938d2675789ab25
    160.  =20
    161. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    162. etch3_amd64.deb
    163.     Size/MD5 checksum:   891102 2e97e35c44308a59857d2e640ddf141a
    164.  =20
    165. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    166. 3_amd64.deb
    167.     Size/MD5 checksum:   992248 82193ea11b0bc08c74a775039b855a05
    168.  =20
    169. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    170. tch3_amd64.deb
    171.     Size/MD5 checksum:  2178610 fb7c53e5f157c43753db31885ff68420
    172.  =20
    173. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    174. 0.9.8c-4etch3_amd64.udeb
    175.     Size/MD5 checksum:   580250 7fb3d7fee129cc9a4fb21f5c471dfbab
    176.  
    177. arm architecture (ARM)
    178.  
    179.  =20
    180. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    181. 8c-4etch3_arm.deb
    182.     Size/MD5 checksum:  1537440 c5ab48e9bde49ba32648fb581b90ba18
    183.  =20
    184. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    185. 0.9.8c-4etch3_arm.udeb
    186.     Size/MD5 checksum:   516576 84385b137c731de3b86824c17affa9f3
    187.  =20
    188. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    189. tch3_arm.deb
    190.     Size/MD5 checksum:  2049882 7ed60840eb3e6b26c6856dcaf5776b0c
    191.  =20
    192. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    193. 3_arm.deb
    194.     Size/MD5 checksum:  1011698 abfa887593089ac0f1cd4e31154897ee
    195.  =20
    196. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    197. etch3_arm.deb
    198.     Size/MD5 checksum:   805912 a605625ea107252e9aebbc77902a63ed
    199.  
    200. hppa architecture (HP PA RISC)
    201.  
    202.  =20
    203. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    204. 8c-4etch3_hppa.deb
    205.     Size/MD5 checksum:  1585900 2cbe55764db351dc6c3c2d622aa90caf
    206.  =20
    207. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    208. tch3_hppa.deb
    209.     Size/MD5 checksum:  2248328 664fb0992b786ce067a7d878056fc191
    210.  =20
    211. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    212. 3_hppa.deb
    213.     Size/MD5 checksum:  1030782 21f445c541d5e5b7c16de1db9ee9d681
    214.  =20
    215. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    216. etch3_hppa.deb
    217.     Size/MD5 checksum:   945144 c1092f3bb94d920d0beaa372c9cab04e
    218.  =20
    219. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    220. 0.9.8c-4etch3_hppa.udeb
    221.     Size/MD5 checksum:   631132 76339119275786b5e80a7a1b4cd26b71
    222.  
    223. i386 architecture (Intel ia32)
    224.  
    225.  =20
    226. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    227. tch3_i386.deb
    228.     Size/MD5 checksum:  2086512 eeef437fb87ad6687cd953d5951aa472
    229.  =20
    230. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    231. 8c-4etch3_i386.deb
    232.     Size/MD5 checksum:  5584696 6d364557c9d392bb90706e049860be66
    233.  =20
    234. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    235. 3_i386.deb
    236.     Size/MD5 checksum:  1000832 ed5668305f1e4b4e4a22fbd24514c758
    237.  =20
    238. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    239. 0.9.8c-4etch3_i386.udeb
    240.     Size/MD5 checksum:   554676 dbad0172c990359282884bac1d141034
    241.  =20
    242. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    243. etch3_i386.deb
    244.     Size/MD5 checksum:  2717086 361fde071d18ccf93338134357ab1a61
    245.  
    246. ia64 architecture (Intel ia64)
    247.  
    248.  =20
    249. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    250. 0.9.8c-4etch3_ia64.udeb
    251.     Size/MD5 checksum:   801748 05b29fc674311bd31fe945036a08abd5
    252.  =20
    253. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    254. etch3_ia64.deb
    255.     Size/MD5 checksum:  1192192 56be85aceb4e79e45f39c4546bfecf4f
    256.  =20
    257. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    258. tch3_ia64.deb
    259.     Size/MD5 checksum:  2593418 f9edaea0a86c1a1cea391f890d7ee70f
    260.  =20
    261. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    262. 8c-4etch3_ia64.deb
    263.     Size/MD5 checksum:  1569418 4b2cb04d13efabdddddbd0f6d3cefd9b
    264.  =20
    265. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    266. 3_ia64.deb
    267.     Size/MD5 checksum:  1071156 e1f487c4310ad526c071f7483de4cd1a
    268.  
    269. mips architecture (MIPS (Big Endian))
    270.  
    271.  =20
    272. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    273. 3_mips.deb
    274.     Size/MD5 checksum:  1003816 f895a8bc714e9c373ee80f736b5af00b
    275.  =20
    276. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    277. tch3_mips.deb
    278.     Size/MD5 checksum:  2262266 004484e816d4fe5ff03fe6d7df38d7b7
    279.  =20
    280. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    281. 8c-4etch3_mips.deb
    282.     Size/MD5 checksum:  1692606 e8273f5d123f892a81a155f14ba19b50
    283.  =20
    284. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    285. etch3_mips.deb
    286.     Size/MD5 checksum:   875558 44074bce1cde4281c5abcf45817f429d
    287.  =20
    288. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    289. 0.9.8c-4etch3_mips.udeb
    290.     Size/MD5 checksum:   580130 b6b810d1c39164747e3ebc9df4903974
    291.  
    292. mipsel architecture (MIPS (Little Endian))
    293.  
    294.  =20
    295. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    296. 0.9.8c-4etch3_mipsel.udeb
    297.     Size/MD5 checksum:   566168 97963ca9b6ada94445fb25b3126655e9
    298.  =20
    299. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    300. 3_mipsel.deb
    301.     Size/MD5 checksum:   992712 41c2bbe984553d693f21c3ec349ea465
    302.  =20
    303. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    304. tch3_mipsel.deb
    305.     Size/MD5 checksum:  2255558 3c63936cd511975291b4230bef1a2e3b
    306.  =20
    307. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    308. etch3_mipsel.deb
    309.     Size/MD5 checksum:   860506 d580fbeed6efd734245ea7a7bed225bb
    310.  =20
    311. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    312. 8c-4etch3_mipsel.deb
    313.     Size/MD5 checksum:  1649300 3315d1406f995f5b6d2a4f958976a794
    314.  
    315. powerpc architecture (PowerPC)
    316.  
    317.  =20
    318. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    319. 3_powerpc.deb
    320.     Size/MD5 checksum:  1002022 b2749639425c3a8ac493e072cfffb358
    321.  =20
    322. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    323. etch3_powerpc.deb
    324.     Size/MD5 checksum:   895460 e15fbbbbcfe17e82bacc07f6febd9707
    325.  =20
    326. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    327. 0.9.8c-4etch3_powerpc.udeb
    328.     Size/MD5 checksum:   585320 61488ea7f54b55a21f7147fe5bc3b0f0
    329.  =20
    330. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    331. 8c-4etch3_powerpc.deb
    332.     Size/MD5 checksum:  1728384 539ee1a3fe7d9b89034ebfe3c1091b6f
    333.  =20
    334. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    335. tch3_powerpc.deb
    336.     Size/MD5 checksum:  2210792 82e9e27c6083a95c76c5817f9604178f
    337.  
    338. s390 architecture (IBM S/390)
    339.  
    340.  =20
    341. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    342. 0.9.8c-4etch3_s390.udeb
    343.     Size/MD5 checksum:   643008 4861c78ea63b6c3c08c22a0c5326d981
    344.  =20
    345. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    346. 8c-4etch3_s390.deb
    347.     Size/MD5 checksum:  1632976 01d289d460622382b59d07950305764f
    348.  =20
    349. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    350. etch3_s390.deb
    351.     Size/MD5 checksum:   951404 d92bb390489bed0abff58f7a1ceade6b
    352.  =20
    353. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    354. 3_s390.deb
    355.     Size/MD5 checksum:  1014308 487c24f2af25797a857814af7c9c0d0b
    356.  =20
    357. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    358. tch3_s390.deb
    359.     Size/MD5 checksum:  2193782 f1fe472c802e929a57bd8c8560bd3009
    360.  
    361. sparc architecture (Sun SPARC/UltraSPARC)
    362.  
    363.  =20
    364. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.=
    365. 8c-4etch3_sparc.deb
    366.     Size/MD5 checksum:  4091340 970453ebfab8152c9c44ae210fbaa2a4
    367.  =20
    368. http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_=
    369. 0.9.8c-4etch3_sparc.udeb
    370.     Size/MD5 checksum:   539054 7be1258f74165c4b037e202d2048f8ce
    371.  =20
    372. http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch=
    373. 3_sparc.deb
    374.     Size/MD5 checksum:  1010536 6444d6cc6fd838c82716462aacd1cf84
    375.  =20
    376. http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4e=
    377. tch3_sparc.deb
    378.     Size/MD5 checksum:  2108000 ab0d0ccc72764a26b7767cace520b269
    379.  =20
    380. http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4=
    381. etch3_sparc.deb
    382.     Size/MD5 checksum:  2126386 61ddc204ee650cdd0f2b56e358134e2b
    383.  
    384.  
    385.   These files will probably be moved into the stable distribution on
    386.   its next update.
    387.  
    388. =2D -----------------------------------------------------------------------=
    389. =2D---------
    390. =46or apt-get: deb http://security.debian.org/ stable/updates main
    391. =46or dpkg-ftp: ftp://security.debian.org/debian-security=20
    392. dists/stable/updates/main
    393. Mailing list: debian-security-announce@lists.debian.org
    394. Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
    395. =2D----BEGIN PGP SIGNATURE-----
    396. Version: GnuPG v1.4.6 (GNU/Linux)
    397.  
    398. iQEVAwUBSCmDjL97/wQC1SS+AQLZGgf8Dp7Rj1HmC4n0QowM9cRnzw24upFQ1bpq
    399. SbkU/NhkoLORcMnXsnVPL30bmtpXltjpWuKIuRGzudXBonXaZtX1N4rl9HDpN+gt
    400. AZJdxweSSmwQNyvOyPRKDVJ1w/YYiaJnSIDNks6NqSNYSEAb5L3bHBeHDTgLsWMW
    401. jYcF5GJSt8yG3GvA0FyFIPwJihr2YF/RmhpurGQf3XO6S94cDsdLtr/KOcdmdWze
    402. 39E+2h3L34HGIwVUgK9uY8Gv0DCPqhQZ4157CteFpQwQoKzFSxYApruCm4QcFxV+
    403. BxuB/M9M5tPWrX1slffG+q3YHK0mDnB9d2JqSwQ5TD9kxTiwEEY8sQ=3D=3D
    404. =3DlX6B
    405. =2D----END PGP SIGNATURE-----
    406.  
    407.  
    408. =2D-=20
    409. To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
    410. with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.o=
    411. rg
    412.  
    413.  
    414. =2D------------------------------------------------------
    415.  
    416. --nextPart5361319.aFJ8IsXsbN
    417. Content-Type: application/pgp-signature; name=signature.asc
    418. Content-Description: This is a digitally signed message part.
    419.  
    420. -----BEGIN PGP SIGNATURE-----
    421. Version: GnuPG v1.4.6 (GNU/Linux)
    422.  
    423. iD8DBQBILD4J62zWxYk/rQcRAiBQAJ40r+qzuPjU47Ic4awY/bgHQC9jeQCdF6I/
    424. 3URh6aGNl3+DesOfIagCI1g=
    425. =F0Ke
    426. -----END PGP SIGNATURE-----
    427.  
    428. --nextPart5361319.aFJ8IsXsbN--
    429.  
    430.  
    431. --
    432. To UNSUBSCRIBE, email to debian-edu-announce-request@lists.debian.org
    433. with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

 Suchen:


 Umfrage

(Nur für angemeldete Benutzer)

Was wird hier am meisten vermisst?

[ Ergebnis | Umfragen ]

Stimmen: 621
Kommentare: 0

 Zitate

Beware of programmers who carry screwdrivers

-- anonymous