Ubuntu: openssl-blacklist update

    Date21 May 2008
    CategoryUbuntu
    8582
    Posted ByLinuxSecurity Advisories
    USN-612-3 addressed a weakness in OpenSSL certificate and key generation in OpenVPN by introducing openssl-blacklist to aid in detecting vulnerable private keys. This update enhances the openssl-vulnkey tool to check X.509 certificates as well, and provides the corresponding update for Ubuntu 6.06. While the OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is now provided for Ubuntu 6.06 for checking certificates and keys that may have been imported on these systems.
    =========================================================== 
    Ubuntu Security Notice USN-612-8               May 21, 2008
    openssl-blacklist update
    http://www.ubuntu.com/usn/usn-612-1
    http://www.ubuntu.com/usn/usn-612-3
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 6.06 LTS
    Ubuntu 7.04
    Ubuntu 7.10
    Ubuntu 8.04 LTS
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 6.06 LTS:
      openssl-blacklist               0.1-0ubuntu0.6.06.1
    
    Ubuntu 7.04:
      openssl-blacklist               0.1-0ubuntu0.7.04.4
    
    Ubuntu 7.10:
      openssl-blacklist               0.1-0ubuntu0.7.10.4
    
    Ubuntu 8.04 LTS:
      openssl-blacklist               0.1-0ubuntu0.8.04.4
    
    In general, a standard system upgrade is sufficient to effect the
    necessary changes.
    
    Details follow:
    
    USN-612-3 addressed a weakness in OpenSSL certificate and key
    generation in OpenVPN by introducing openssl-blacklist to aid in
    detecting vulnerable private keys. This update enhances the
    openssl-vulnkey tool to check X.509 certificates as well, and
    provides the corresponding update for Ubuntu 6.06. While the
    OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is
    now provided for Ubuntu 6.06 for checking certificates and keys
    that may have been imported on these systems.
    
    This update also includes the complete RSA-1024 and RSA-2048
    blacklists for all Ubuntu architectures, as well as support for
    other future blacklists for non-standard bit lengths.
    
    You can check for weak SSL/TLS certificates by installing
    openssl-blacklist via your package manager, and using the
    openssl-vulnkey command.
    
    $ openssl-vulnkey /path/to/certificate_or_key
    
    This command can be used on public certificates and private keys
    for any X.509 certificate or RSA key, including ones for web
    servers, mail servers, OpenVPN, and others. If in doubt, destroy
    the certificate and key and generate new ones. Please consult the
    documentation for your software when recreating SSL/TLS
    certificates. Also, if certificates have been generated for use
    on other systems, they must be found and replaced as well.
    
    Original advisory details:
    
     A weakness has been discovered in the random number generator used
     by OpenSSL on Debian and Ubuntu systems.  As a result of this
     weakness, certain encryption keys are much more common than they
     should be, such that an attacker could guess the key through a
     brute-force attack given minimal knowledge of the system.  This
     particularly affects the use of encryption keys in OpenSSH, OpenVPN
     and SSL certificates.
    
    
    Updated packages for Ubuntu 6.06 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.dsc
          Size/MD5:      548 b437e5037437d46ba896cf28be43fa55
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.tar.gz
          Size/MD5:  8998682 154e882671f25f5ef5a100ef2709cd4e
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1_all.deb
          Size/MD5:  4235438 b78f5861f72699f7699e3f60d7e7d235
    
    Updated packages for Ubuntu 7.04:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.dsc
          Size/MD5:      600 8045fc0b37070b448b00123c395af0fd
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.tar.gz
          Size/MD5:  8999060 4a23e360873f70d978401837a5a1a462
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4_all.deb
          Size/MD5:  4236958 7ec420cb408154facae641776ac1aeaf
    
    Updated packages for Ubuntu 7.10:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.dsc
          Size/MD5:      600 e484758b7e017b511fc34eff1878a2eb
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.tar.gz
          Size/MD5:  8999062 1f59fe1ae585543431a58f050cb8fe46
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4_all.deb
          Size/MD5:  4237110 8451e9872b23fc0f73ef16f384d4dddb
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.dsc
          Size/MD5:      600 78f29ecb3d69baf5f529f15a06c41cf4
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.tar.gz
          Size/MD5:  8999068 d67755ccd109508c460a4a3a830d699d
    
      Architecture independent packages:
    
        http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4_all.deb
          Size/MD5:  4236630 36f5d84a1cff08e86a6b1646565245e6
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"39","type":"x","order":"1","pct":50,"resources":[]},{"id":"88","title":"Should be more technical","votes":"11","type":"x","order":"2","pct":14.1,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"28","type":"x","order":"3","pct":35.9,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.