Ubuntu 6310 Published by

A new openssl weak default configuration update is available for Ubuntu Linux. Here the announcement:



Ubuntu Security Notice USN-179-1 September 09, 2005
openssl weak default configuration
https://bugzilla.ubuntu.com/show_bug.cgi?id593
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

openssl

The problem can be corrected by upgrading the affected package to
version 0.9.7d-3ubuntu0.2 (for Ubuntu 4.10), or 0.9.7e-3ubuntu0.1 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

The current default algorithm for creating "message digests"
(electronic signatures) for certificates created by openssl is MD5.
However, this algorithm is not deemed secure any more, and some
practical attacks have been demonstrated which could allow an attacker
to forge certificates with a valid certification authority signature
even if he does not know the secret CA signing key.

Therefore all Ubuntu versions of openssl have now been changed to use
SHA-1 by default. This is a more appropriate default algorithm for
the majority of use cases; however, if you still want to use MD5 as
default, you can revert this change by changing the two instances of
"default_md = sha1" to "default_md = md5" in /etc/ssl/openssl.cnf.

A detailed explanation and further links can be found at

http://www.cits.rub.de/MD5Collisions/


Updated packages for Ubuntu 4.10 (Warty Warthog):

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2.diff.gz
Size/MD5: 25934 e06a4ebe002f3a43dc492cee46149b45
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2.dsc
Size/MD5: 636 e11f5f6231d05e17c11bac60c7765e94
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d.orig.tar.gz
Size/MD5: 2799796 533b7f758325d74c1e01e67994e3ae59

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_amd64.deb
Size/MD5: 2676640 3be830e4beb6e40089bcb5bbcffc2e07
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_amd64.deb
Size/MD5: 696986 4acada3a47b8116c38beae46f1472888
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_amd64.deb
Size/MD5: 899782 9e728d2ced98a1b297fe5e5e70e2f501

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_i386.deb
Size/MD5: 2477468 fc2944d39c6c5fb5117d4909b83cde83
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_i386.deb
Size/MD5: 2152990 d09ac9e5901cc196da053c61a185e4ca
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_i386.deb
Size/MD5: 898444 ad35e5b298aee3479b9d4fdc209e3661

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.2_powerpc.deb
Size/MD5: 2759030 283074e7ade479e381c7acf7e207bba1
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.2_powerpc.deb
Size/MD5: 700766 69ca323a46256db250d12f325e140d59
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.2_powerpc.deb
Size/MD5: 904396 10d8f1e257a00fba6b105391b4cd182f

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1.diff.gz
Size/MD5: 28446 1aea4eb1e8ca811bac6bf974c88d86f6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1.dsc
Size/MD5: 645 660479043ea6c45155d371594be8af24
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5: 3043231 a8777164bca38d84e5eb2b1535223474

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_amd64.udeb
Size/MD5: 495076 196e108273babe1ee2885ea5f18695eb
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.1_amd64.deb
Size/MD5: 2693088 03204456f6f125c13d5b45bbf3135e1e
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.1_amd64.deb
Size/MD5: 769306 cee881a42108c488362de1eecf1162f6
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1_amd64.deb
Size/MD5: 903308 50489fa878601993667582ee18193bee

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_i386.udeb
Size/MD5: 433188 f0f38c4de6accc33a458069eceac813a
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.1_i386.deb
Size/MD5: 2492176 46f6844494deeddd34a82212a4586b1d
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.1_i386.deb
Size/MD5: 2240302 4bf0ff01a737f91d6987fbe189007e23
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1_i386.deb
Size/MD5: 900782 d5b985081049a1b0b71a23d3c0913c3b

ia64 architecture (Intel Itanium)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_ia64.udeb
Size/MD5: 713326 86db5ab5391417085fcf41e3b40de3fe
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.1_ia64.deb
Size/MD5: 3395220 38ed3cd58d573774414137d24af74717
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.1_ia64.deb
Size/MD5: 1037652 e4e04177f77cce913fcc96a9a457b64f
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1_ia64.deb
Size/MD5: 974696 10095ea31a51236d0e5c9a1cbad9b7cf

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.1_powerpc.udeb
Size/MD5: 499308 72c6ee7cd7de757f534ff250b6228c2f
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.1_powerpc.deb
Size/MD5: 2773772 d4cdb25892e6633e0630e8098167297d
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.1_powerpc.deb
Size/MD5: 778940 5a5f3bb6d59e12e26c6f690079da6545
http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.1_powerpc.deb
Size/MD5: 907796 19da07525a372f7bc760b545174a7f98

--huq684BweRXVnRxX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDIaeoDecnbV4Fd/IRAvMxAJ9yhO2TMMYw68Ed1NV1FM2ZEXJlqgCg8oS5
0ZQ5vXf6MBRdz9qVMupkKl0=
=/xDp
-----END PGP SIGNATURE-----