USN-704-1: OpenSSL vulnerability

01-07-2009

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

USN-704-1: OpenSSL vulnerability

Referenced CVEs:
CVE-2008-5077

Description:
===========================================================Ubuntu Security Notice USN-704-1 January 07, 2009openssl vulnerabilityCVE-2008-5077===========================================================A security issue affects the following Ubuntu releases:Ubuntu 6.06 LTSUbuntu 7.10Ubuntu 8.04 LTSUbuntu 8.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 6.06 LTS: libssl0.9.8 0.9.8a-7ubuntu0.6 openssl 0.9.8a-7ubuntu0.6Ubuntu 7.10: libssl0.9.8 0.9.8e-5ubuntu3.3 openssl 0.9.8e-5ubuntu3.3Ubuntu 8.04 LTS: libssl0.9.8 0.9.8g-4ubuntu3.4 openssl 0.9.8g-4ubuntu3.4Ubuntu 8.10: libssl0.9.8 0.9.8g-10.1ubuntu2.1 openssl 0.9.8g-10.1ubuntu2.1After a standard system upgrade you need to reboot your computer toeffect the necessary changes.Details follow:It was discovered that OpenSSL did not properly perform signature verificationon DSA and ECDSA keys. If user or automated system connected to a maliciousserver or a remote attacker were able to perform a man-in-the-middle attack,this flaw could be exploited to view sensitive information.

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

SSL_get_default_timeout(3openssl) OpenSSL SSL_get_default_timeout(3openssl) NAME
SSL_get_default_timeout - get default session timeout value SYNOPSIS
#include <openssl/ssl.h> long SSL_get_default_timeout(const SSL *ssl); DESCRIPTION
SSL_get_default_timeout() returns the default timeout value assigned to SSL_SESSION objects negotiated for the protocol valid for ssl. NOTES
Whenever a new session is negotiated, it is assigned a timeout value, after which it will not be accepted for session reuse. If the timeout value was not explicitly set using SSL_CTX_set_timeout(3), the hardcoded default timeout for the protocol will be used. SSL_get_default_timeout() return this hardcoded value, which is 300 seconds for all currently supported protocols (SSLv2, SSLv3, and TLSv1). RETURN VALUES
See description. SEE ALSO
ssl(3), SSL_CTX_set_session_cache_mode(3), SSL_SESSION_get_time(3), SSL_CTX_flush_sessions(3), SSL_get_default_timeout(3) OpenSSL-0.9.8 Oct 11 2005 SSL_get_default_timeout(3openssl)

Security Advisories (RSS)

USN-704-1: OpenSSL vulnerability

LEARN ABOUT OPENSOLARIS

ssl_get_default_timeout