Ubuntu: openssl-blacklist update USN-612-11

    Date 21 May 2008
    8930
    Posted By LinuxSecurity Advisories
    USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check X.509 certificates as well, and provides the corresponding update for Ubuntu 6.06. While the OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is now provided for Ubuntu 6.06 for checking certificates and keys that may have been imported on these systems.
    =========================================================== 
    Ubuntu Security Notice USN-612-8               May 21, 2008
    openssl-blacklist update
    https://www.ubuntu.com/usn/usn-612-1
    https://www.ubuntu.com/usn/usn-612-3
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 7.04
    Ubuntu 7.10
    Ubuntu 8.04 LTS
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      openssl-blacklist               0.1-0ubuntu0.6.06.1
    
    Ubuntu 7.04:
      openssl-blacklist               0.1-0ubuntu0.7.04.4
    
    Ubuntu 7.10:
      openssl-blacklist               0.1-0ubuntu0.7.10.4
    
    Ubuntu 8.04 LTS:
      openssl-blacklist               0.1-0ubuntu0.8.04.4
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    USN-612-3 addressed a weakness in OpenSSL certificate and key
    generation in OpenVPN by introducing openssl-blacklist to aid in
    detecting vulnerable private keys. This update enhances the
    openssl-vulnkey tool to check X.509 certificates as well, and
    provides the corresponding update for Ubuntu 6.06. While the
    OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is
    now provided for Ubuntu 6.06 for checking certificates and keys
    that may have been imported on these systems.
    
    This update also includes the complete RSA-1024 and RSA-2048
    blacklists for all Ubuntu architectures, as well as support for
    other future blacklists for non-standard bit lengths.
    
    You can check for weak SSL/TLS certificates by installing
    openssl-blacklist via your package manager, and using the
    openssl-vulnkey command.
    
    $ openssl-vulnkey /path/to/certificate_or_key
    
    This command can be used on public certificates and private keys
    for any X.509 certificate or RSA key, including ones for web
    servers, mail servers, OpenVPN, and others. If in doubt, destroy
    the certificate and key and generate new ones. Please consult the
    documentation for your software when recreating SSL/TLS
    certificates. Also, if certificates have been generated for use
    on other systems, they must be found and replaced as well.
    
    Original advisory details:
    
     A weakness has been discovered in the random number generator used
     by OpenSSL on Debian and Ubuntu systems.  As a result of this
     weakness, certain encryption keys are much more common than they
     should be, such that an attacker could guess the key through a
     brute-force attack given minimal knowledge of the system.  This
     particularly affects the use of encryption keys in OpenSSH, OpenVPN
     and SSL certificates.
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.dsc
          Size/MD5:      548 b437e5037437d46ba896cf28be43fa55
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.tar.gz
          Size/MD5:  8998682 154e882671f25f5ef5a100ef2709cd4e
    
      Architecture independent packages:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1_all.deb
          Size/MD5:  4235438 b78f5861f72699f7699e3f60d7e7d235
    
    Updated packages for Ubuntu 7.04:
    
      Source archives:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.dsc
          Size/MD5:      600 8045fc0b37070b448b00123c395af0fd
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.tar.gz
          Size/MD5:  8999060 4a23e360873f70d978401837a5a1a462
    
      Architecture independent packages:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4_all.deb
          Size/MD5:  4236958 7ec420cb408154facae641776ac1aeaf
    
    Updated packages for Ubuntu 7.10:
    
      Source archives:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.dsc
          Size/MD5:      600 e484758b7e017b511fc34eff1878a2eb
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.tar.gz
          Size/MD5:  8999062 1f59fe1ae585543431a58f050cb8fe46
    
      Architecture independent packages:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4_all.deb
          Size/MD5:  4237110 8451e9872b23fc0f73ef16f384d4dddb
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.dsc
          Size/MD5:      600 78f29ecb3d69baf5f529f15a06c41cf4
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.tar.gz
          Size/MD5:  8999068 d67755ccd109508c460a4a3a830d699d
    
      Architecture independent packages:
    
        https://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4_all.deb
          Size/MD5:  4236630 36f5d84a1cff08e86a6b1646565245e6
    
    
    
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"19","type":"x","order":"1","pct":95,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"1","type":"x","order":"2","pct":5,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.