Stay Secure with the Latest Linux Advisories

security advisorymoderatesecurity issue

Slackware 14.2: 2017-306-02 Moderate: OpenSSL Flaw Addresses DH Attacks

New openssl packages are available for Slackware 14.2 and -current to fix a security issue. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] openssl (SSA:2017-306-02) New openssl packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/openssl-1.0.2m-i586-1_slack14.2.txz: Upgraded. This update fixes a security issue: There is a carry propagating bug in the x64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. For more information, see: https://openssl-library.org/news/secadv/20171102.txt https://www.cve.org/CVERecord?id=CVE-2017-3736 (* Security fix *) patches/packages/openssl-solibs-1.0.2m-i586-1_slack14.2.txz: Upgraded. +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated packages for Slackware 14.2: Updated packages forSlackware x86_64 14.2: Updated packages for Slackware -current: Updated packages for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 14.2 packages: 53cf0ad803cc25e2a1743c423ecef363 openssl-1.0.2m-i586-1_slack14.2.txz aec151a19c32844355f8a13089f82154 openssl-solibs-1.0.2m-i586-1_slack14.2.txz Slackware x86_64 14.2 packages: 8beeb92a178b9b8e135c6b1018003c22 openssl-1.0.2m-x86_64-1_slack14.2.txz b912777079f28301936a77790d00a7ae openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz Slackware -current packages: 647adb0751e6cd6e988ca81cf595cc0e a/openssl-solibs-1.0.2l-i586-1.txz c76711fb8f8ce77b5cdf6e5904dfd4a1 n/openssl-1.0.2m-i586-1.txz Slackware x86_64 -current packages: 47323660a6504018ee6b4490c268060b a/openssl-solibs-1.0.2l-x86_64-1.txz fa9ed59b81567d356bd59c953fbabc1e n/openssl-1.0.2m-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg openssl-1.0.2m-i586-1_slack14.2.txz openssl-solibs-1.0.2m-i586-1_slack14.2.txz +-----+ . Updated OpenSSL packages have been made available for Slackware 14.2 to address a vulnerability affecting x64 architectures.. openssl packages, slackware security, DH attacks, security update. . LinuxSecurity.com Team

Nov 03, 2017 Slackware