Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-612-8: openssl-blacklist update

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-612-8: openssl-blacklist update
# 1  
Old 05-21-2008
USN-612-8: openssl-blacklist update
Description:
=========================================================== Ubuntu Security Notice USN-612-8 May 21, 2008openssl-blacklist updatehttp://www.ubuntu.com/usn/usn-612-1http://www.ubuntu.com/usn/usn-612-3===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.04Ubuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: openssl-blacklist 0.1-0ubuntu0.6.06.1Ubuntu 7.04: openssl-blacklist 0.1-0ubuntu0.7.04.4Ubuntu 7.10: openssl-blacklist 0.1-0ubuntu0.7.10.4Ubuntu 8.04 LTS: openssl-blacklist 0.1-0ubuntu0.8.04.4In general, a standard system upgrade is sufficient to effect thenecessary changes.Details follow:USN-612-3 addressed a weakness in OpenSSL certificate and keygeneration in OpenVPN by introducing openssl-blacklist to aid indetecting vulnerable private keys. This update enhances theopenssl-vulnkey tool to check X.509 certificates as well, andprovides the corresponding update for Ubuntu 6.06. While theOpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist isnow provided for Ubuntu 6.06 for checking certificates and keysthat may have been imported on these systems.This update also includes the complete RSA-1024 and RSA-2048blacklists for all Ubuntu architectures, as well as support forother future blacklists for non-standard bit lengths.You can check for weak SSL/TLS certificates by installingopenssl-blacklist via your package manager, and using theopenssl-vulnkey command.$ openssl-vulnkey /path/to/certificate_or_keyThis command can be used on public certificates and private keysfor any X.509 certificate or RSA key, including ones for webservers, mail servers, OpenVPN, and others. If in doubt, destroythe certificate and key and generate new ones. Please consult thedocumentation for your software when recreating SSL/TLScertificates. Also, if certificates have been generated for useon other systems, they must be found and replaced as well.Original advisory details: A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN and SSL certificates.





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question