ubuntu-security-announce@lists.ubuntu.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
or, via email, send a message with subject or body 'help' to
ubuntu-security-announce-request@lists.ubuntu.com
You can reach the person managing the list at
ubuntu-security-announce-owner@lists.ubuntu.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ubuntu-security-announce digest..."
Today's Topics:
1. [USN-522-1] OpenSSL vulnerabilities (Kees Cook)
----------------------------------------------------------------------
Message: 1
Date: Fri, 28 Sep 2007 18:32:42 -0700
From: Kees Cook <kees@ubuntu.com>
Subject: [USN-522-1] OpenSSL vulnerabilities
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20070929013242.GH23742@outflux.net>
Content-Type: text/plain; charset="us-ascii"
===========================================================
Ubuntu Security Notice USN-522-1 September 29, 2007
openssl vulnerabilities
CVE-2007-3108, CVE-2007-5135
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libssl0.9.8 0.9.8a-7ubuntu0.4
Ubuntu 6.10:
libssl0.9.8 0.9.8b-2ubuntu2.1
Ubuntu 7.04:
libssl0.9.8 0.9.8c-4ubuntu0.1
After a standard system upgrade you need to reboot your computer to
affect the necessary changes.
Details follow:
It was discovered that OpenSSL did not correctly perform Montgomery
multiplications. Local attackers might be able to reconstruct RSA
private keys by examining another user's OpenSSL processes. (CVE-2007-3108)
Moritz Jodeit discovered that OpenSSL's SSL_get_shared_ciphers function
did not correctly check the size of the buffer it was writing to.
A remote attacker could exploit this to write one NULL byte past the end of
an application's cipher list buffer, possibly leading to arbitrary code
execution or a denial of service. (CVE-2007-5135)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4.diff.gz
Size/MD5: 40104 abaa56ceffcfafd0d628fc68b1c83675
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4.dsc
Size/MD5: 814 e348ddbc2703e3dda91c500531cf4f45
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a.orig.tar.gz
Size/MD5: 3271435 1d16c727c10185e4d694f87f5e424ee1
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 571738 9e614030df1cc56597aa4e7a7df23d18
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.4_amd64.deb
Size/MD5: 2167362 c46ae159491e08e6df452617f069fb1a
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.4_amd64.deb
Size/MD5: 1682190 3f8e4f0e18004602d6d05200d1ceaa59
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.4_amd64.deb
Size/MD5: 875108 fde0f7829a2684230b42b9aa37474a87
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4_amd64.deb
Size/MD5: 984620 3c835a22e594cd97d7286944c94144bb
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 509504 7461427863f8fb2515f4e666a445eb09
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.4_i386.deb
Size/MD5: 2023780 d20f64ea8137c4c9aed26e911078bd15
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.4_i386.deb
Size/MD5: 5051744 e377b372e70216b7c913229c840fe01e
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.4_i386.deb
Size/MD5: 2595078 4d10155df912f64bb004d154b942bea1
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4_i386.deb
Size/MD5: 976114 4cf728c1f64e50634489c6c9838eae69
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 557892 32b64e8623c7f77c4d8c2a26fa58ff90
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.4_powerpc.deb
Size/MD5: 2181178 4e1f7491e3801576114ceac6235199d9
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.4_powerpc.deb
Size/MD5: 1726640 0da13816bfddf51e4b306c3aa78c466e
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.4_powerpc.deb
Size/MD5: 861466 d2650c1bfa597edefd32fa380bee42ec
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4_powerpc.deb
Size/MD5: 980256 3e1b6dec9136ba3c9456dc4301a105c5
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 530816 8a79b8c47ab103c6fe308c35fc73e1a6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.4_sparc.deb
Size/MD5: 2092694 fd51d17a31a87f289860621e3ceef1c0
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8a-7ubuntu0.4_sparc.deb
Size/MD5: 3941790 24f88f1ec00a33da9af06476cd24c845
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8a-7ubuntu0.4_sparc.deb
Size/MD5: 2091088 3a3780f90853dfe75d0dfe361ca387a2
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8a-7ubuntu0.4_sparc.deb
Size/MD5: 988320 08ed566f5fb60ff6211fd15d188bc9d7
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1.diff.gz
Size/MD5: 47085 11e24acb96e5a9ab984a7f0f52eaccee
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1.dsc
Size/MD5: 815 0edc3573b1bf7cb3fcee66dfb5531030
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b.orig.tar.gz
Size/MD5: 3279283 12cedbeb6813a0d7919dbf1f82134b86
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 580868 ea4ca3f339aa81ac94cb6430a66e4732
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b-2ubuntu2.1_amd64.deb
Size/MD5: 2180120 73efee92606753a9d44ef2f14e513650
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8b-2ubuntu2.1_amd64.deb
Size/MD5: 1637050 5d20af66d19892f44b9c16932fda98cb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8b-2ubuntu2.1_amd64.deb
Size/MD5: 889090 1c1e0ac246ea81ab44dea11c1f7b84c3
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1_amd64.deb
Size/MD5: 999446 e14ae572b7c245ac7218309b62998606
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 544572 0041f7ee93c548d4504e12d1090b46b4
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b-2ubuntu2.1_i386.deb
Size/MD5: 2063198 14e10f14147b3dc12c8811fc53592fc6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8b-2ubuntu2.1_i386.deb
Size/MD5: 5488610 ff380444cf5a3518a98dcb264bb68c17
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8b-2ubuntu2.1_i386.deb
Size/MD5: 2699364 0f23e3bbf255b1c333bc27c6133ad6dc
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1_i386.deb
Size/MD5: 993544 6a229b5256bc4719116e31d8c9c6e067
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 586188 7d04f1a35812e10be8b5cf5e3ca64e42
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b-2ubuntu2.1_powerpc.deb
Size/MD5: 2211960 adc548aee23416dc2c04b0ae0653fd58
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8b-2ubuntu2.1_powerpc.deb
Size/MD5: 1704024 969005d56c1ce43c1e25b2155992cb06
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8b-2ubuntu2.1_powerpc.deb
Size/MD5: 893346 144f7e53fd45ae765229ca09d90b0324
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1_powerpc.deb
Size/MD5: 994320 7be85bbd6f1578b43883a932d27ff0d4
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 539786 a44f4d54cce712b2572a8c2d1a8892b0
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8b-2ubuntu2.1_sparc.deb
Size/MD5: 2106146 18369000e29065950ab20c49f2549a68
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8b-2ubuntu2.1_sparc.deb
Size/MD5: 4024194 6f18fdd6cf1baa4fc5df70dd911a5e5c
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8b-2ubuntu2.1_sparc.deb
Size/MD5: 2127048 7dfd58d7598348c49329ab9ca7779f1e
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8b-2ubuntu2.1_sparc.deb
Size/MD5: 1002710 4faf43217bd97ec20d9e6f5231f3b796
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1.diff.gz
Size/MD5: 46065 1fe689e18314f75796223804cea5da8a
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1.dsc
Size/MD5: 899 5f7c71575be2444fba320a4ea5347a94
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c.orig.tar.gz
Size/MD5: 3313857 78454bec556bcb4c45129428a766c886
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
Size/MD5: 604410 83e090a4f4baad96cd699d641c906ed6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c-4ubuntu0.1_amd64.deb
Size/MD5: 2186538 db9dfc2ec8dffea2f5e05bdf3e0c6f51
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4ubuntu0.1_amd64.deb
Size/MD5: 1644896 ed4ae60bc2e36d90cde8f6984d6025b3
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8c-4ubuntu0.1_amd64.deb
Size/MD5: 918056 805ff29173ca5647c6444fbf048dcf60
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1_amd64.deb
Size/MD5: 1006294 9dcf97059a7eb886d4a868c4398e78cb
i386 architecture (x86 compatible Intel/AMD):
Size/MD5: 569612 cf9450e5dcf3a4f7fdba8c1a8a430323
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c-4ubuntu0.1_i386.deb
Size/MD5: 2068216 421e07755a1c502e023e8b7ee1f60d19
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4ubuntu0.1_i386.deb
Size/MD5: 5499042 a1cbbc625498defe107e38775bde8aa0
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8c-4ubuntu0.1_i386.deb
Size/MD5: 2809096 194214034d640049a38a210feded7271
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1_i386.deb
Size/MD5: 1001124 68f2244ac28054ceb381db892b0a2aa8
powerpc architecture (Apple Macintosh G3/G4/G5):
Size/MD5: 617042 f3649896a69d3aa8fe05f2d62179a6fa
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c-4ubuntu0.1_powerpc.deb
Size/MD5: 2217064 bab2220243ab79b13c3f6178f72ca5b3
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4ubuntu0.1_powerpc.deb
Size/MD5: 1704864 886ea205f259a781cd464344ca238438
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8c-4ubuntu0.1_powerpc.deb
Size/MD5: 939056 aca2ce7f7970c967b54d5d09ee1bc0c2
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1_powerpc.deb
Size/MD5: 1014828 fa78b637a7b5ce72261442d7e9de8522
sparc architecture (Sun SPARC/UltraSPARC):
Size/MD5: 562986 9e32a5b64da75b53c5651b0ab12413e8
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.8c-4ubuntu0.1_sparc.deb
Size/MD5: 2111498 45b61e49ef4a3c8766acd4986170b60c
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4ubuntu0.1_sparc.deb
Size/MD5: 4052930 6ad0e11956c1fdb699429abe604d3886
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.8_0.9.8c-4ubuntu0.1_sparc.deb
Size/MD5: 2205482 75db2b4f995c2f564612566b299a428d
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.8c-4ubuntu0.1_sparc.deb
Size/MD5: 1016618 ec64c2da5c6b4bbec42d9099cc0ef0e6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20070928/e04cc577/attachment-0001.pgp
------------------------------
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
End of ubuntu-security-announce Digest, Vol 36, Issue 12
********************************************************