[SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness
Date: Mon, 7 Nov 2005 20:06:00 +0100 (CET)
From: [email protected] (Martin Schulze)
Subject: [SECURITY] [DSA 888-1] New OpenSSL packages fix cryptographic weakness
Priority: urgent
Resent-Message-ID: <lLqvDC.A.zCD.kX6bDB@murphy.>
Reply-To: [email protected]
Mail-Followup-To: [email protected]
To: [email protected]
Resent-Date: Mon, 7 Nov 2005 13:07:16 -0600 (CST)
Resent-From: [email protected] (Mailing List Manager)
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 888-1 [email protected]
http://www.debian.org/security/ Martin Schulze
November 7th, 2005 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : openssl
Vulnerability : cryptographic weakness
Problem type : remote
Debian-specific: no
CVE ID : CVE-2005-2969
Yutaka Oiwa discovered a vulnerability in the Open Secure Socket Layer
(OpenSSL) library that can allow an attacker to perform active
protocol-version rollback attacks that could lead to the use of the
weaker SSL 2.0 protocol even though both ends support SSL 3.0 or TLS
1.0.
The following matrix explains which version in which distribution has
this problem corrected.
oldstable (woody) stable (sarge) unstable (sid)
openssl 0.9.6c-2.woody.8 0.9.7e-3sarge1 0.9.8-3
openssl 094 0.9.4-6.woody.4 n/a n/a
openssl 095 0.9.5a-6.woody.6 n/a n/a
openssl 096 n/a 0.9.6m-1sarge1 n/a
openssl 097 n/a n/a 0.9.7g-5
We recommend that you upgrade your libssl packages.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.dsc
Size/MD5 checksum: 632 0f3990f71f6773a516a413c393fc6604
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8.diff.gz
Size/MD5 checksum: 45527 30aa51e1f88c95e086f7918a47fe8f5c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc
Architecture independent components:
http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.8_all.deb
Size/MD5 checksum: 982 71fd036f7135cd3e68c4cf33ed7e2976
Alpha architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_alpha.deb
Size/MD5 checksum: 1551638 2f5d722aa4b7c7bd6c9908a3998b6420
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_alpha.deb
Size/MD5 checksum: 571552 5e94a096f7569a2e18f82a697908d230
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_alpha.deb
Size/MD5 checksum: 736780 2f964e236883e2c8ed7ad2d28ed2bc6b
ARM architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_arm.deb
Size/MD5 checksum: 1358314 c2f4acf9994dd42ae0373c34163b6a96
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_arm.deb
Size/MD5 checksum: 474348 bc3950a119bd05ab4602fc1aae42f6c0
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_arm.deb
Size/MD5 checksum: 730164 c5cc5638fb9ca1583cc23602b61a6dc7
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_i386.deb
Size/MD5 checksum: 1289480 0d32fea022a7896b321d673a9138c90f
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_i386.deb
Size/MD5 checksum: 461972 970aa086b6758741b4cbbf32e94572a1
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_i386.deb
Size/MD5 checksum: 717322 88a3bcb5d1b4330fb25c95b5c7f95bd3
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_ia64.deb
Size/MD5 checksum: 1615580 e66ad48cf480c87a965cad2dadde3074
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_ia64.deb
Size/MD5 checksum: 711412 a7ff065df8383c36ee0e265d889df450
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_ia64.deb
Size/MD5 checksum: 763808 a62f8d33db6e9bc3e770dfd3f23fe70f
HP Precision architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_hppa.deb
Size/MD5 checksum: 1435394 5d5be2d74a8035fdee039237f93ad267
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_hppa.deb
Size/MD5 checksum: 565228 aa3bfa3d333195f59b637d434cc0e4d7
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_hppa.deb
Size/MD5 checksum: 742192 51644d86e15c7bac4d005e57881c6627
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_m68k.deb
Size/MD5 checksum: 1266800 9973441879b98558d95904e0f2798f7c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_m68k.deb
Size/MD5 checksum: 450948 7f7199530678b922e3b9499a9e3c9107
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_m68k.deb
Size/MD5 checksum: 720758 87053610447971c8923160df9ae48304
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mips.deb
Size/MD5 checksum: 1415426 5a9625c92cdf9f54f532806278cf7b71
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mips.deb
Size/MD5 checksum: 483940 4c322f1697e1cd5c701b8870417d5604
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mips.deb
Size/MD5 checksum: 717966 8ce534b83ec7fc69878fbb032562db7f
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_mipsel.deb
Size/MD5 checksum: 1409820 335f3bfc4afadc7099dd81ca655f43ab
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_mipsel.deb
Size/MD5 checksum: 476994 4e51fa71c3feb9871eae6d3620d97a88
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_mipsel.deb
Size/MD5 checksum: 717282 74f673dc3d93ab31316c266647e236f8
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_powerpc.deb
Size/MD5 checksum: 1387860 8c150c04059434d276d9be72e60a33d5
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_powerpc.deb
Size/MD5 checksum: 502762 bc0b6913643d3a49410b2e8b991a2612
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_powerpc.deb
Size/MD5 checksum: 727200 942fccc855f790681ff55792595a0e9e
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_s390.deb
Size/MD5 checksum: 1326764 f0e3604fd60501387dd64d147ed2b399
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_s390.deb
Size/MD5 checksum: 510774 4720d8b0c5b4a4989941af6af448f1c8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_s390.deb
Size/MD5 checksum: 731906 e087d1292d906a027bd18f8ba64bcaa7
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.8_sparc.deb
Size/MD5 checksum: 1344478 462215d04cdc46df9d3c30ca9809ad0c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.8_sparc.deb
Size/MD5 checksum: 485082 d5bf47809f860074a30d1925ec260471
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.8_sparc.deb
Size/MD5 checksum: 737538 bd16a927946e42e9388c10c6caab2471
Debian GNU/Linux 3.1 alias sarge
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.dsc
Size/MD5 checksum: 639 1d4fe852d85c23ee4befe3b69ad11f42
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1.diff.gz
Size/MD5 checksum: 27134 40b781ed5e9b5da015d3d17621378c75
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e.orig.tar.gz
Size/MD5 checksum: 3043231 a8777164bca38d84e5eb2b1535223474
Alpha architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_alpha.deb
Size/MD5 checksum: 3339042 08256d8f24f46888c8d851e7a7717d03
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_alpha.deb
Size/MD5 checksum: 2445184 1c9cfeaa0af4cfe1e412342afb315028
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_alpha.deb
Size/MD5 checksum: 929866 89c795ae3258886e24dc3c05b0317c0d
AMD64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_amd64.deb
Size/MD5 checksum: 2693256 1c9d25d3ca61d64cc55cefbd53543984
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_amd64.deb
Size/MD5 checksum: 769270 444bbc7046101472d4a0d918e258c15c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_amd64.deb
Size/MD5 checksum: 903332 901d18551ad23f7c95489589aecc9394
ARM architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_arm.deb
Size/MD5 checksum: 2554838 9da71c016a4c19c4766022b75b6c9b1c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_arm.deb
Size/MD5 checksum: 689386 9d607bbe307f6b050865cdccee0e8b2b
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_arm.deb
Size/MD5 checksum: 893800 fb067120630f9638363b8ee7fd133110
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_i386.deb
Size/MD5 checksum: 2551894 c9a047ff0bb105d5dbf150370746044a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_i386.deb
Size/MD5 checksum: 2262314 ecd5cfaa6085cdd73f15ffff1e2780a9
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_i386.deb
Size/MD5 checksum: 902214 eb49dbdd0b9bc19342000833eafc422a
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_ia64.deb
Size/MD5 checksum: 3394806 d165b3284eab212f0a90c3d7aa9d274c
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_ia64.deb
Size/MD5 checksum: 1037634 6901a41b294cc7446a5d8b36037fb09c
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_ia64.deb
Size/MD5 checksum: 974704 3bd5964f5a7543e3ed589584362ab5b5
HP Precision architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_hppa.deb
Size/MD5 checksum: 2695182 889bafc3edbc895e4abeb548e16a2218
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_hppa.deb
Size/MD5 checksum: 790356 cda81a66041c3948d0b04a811fd5e78f
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_hppa.deb
Size/MD5 checksum: 914154 e06f637b72ad3ef60f9bd1dcafd28b1f
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_m68k.deb
Size/MD5 checksum: 2316264 22c140d007c3ae174925621468a39cb1
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_m68k.deb
Size/MD5 checksum: 661018 7f67414f0791fc985541378bb55dc7bb
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_m68k.deb
Size/MD5 checksum: 889428 22cb29e59ffcbae25cea4db0d27115ad
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mips.deb
Size/MD5 checksum: 2778266 f467fff7ed6cbefbc672dd7751473596
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mips.deb
Size/MD5 checksum: 705794 9a63ff8605fd3f2759e78a9a8081d478
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mips.deb
Size/MD5 checksum: 896400 f1e1f16d6b5857a4bce14ca8bd5bc736
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_mipsel.deb
Size/MD5 checksum: 2765942 34c72af7ae700c9583a11c3044f942d4
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_mipsel.deb
Size/MD5 checksum: 693754 0052d22ab3dafb44b5fbd7978d83a814
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_mipsel.deb
Size/MD5 checksum: 895542 0901349aab6ab6231b530475b4669ea6
PowerPC architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_powerpc.deb
Size/MD5 checksum: 2775598 1f2e461d360e3cc8e33d5cd866f9e1d0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_powerpc.deb
Size/MD5 checksum: 778892 ddd9238eafb70e31b4fb991909a5bdb8
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_powerpc.deb
Size/MD5 checksum: 908056 5f601e19f91dcdc08541277a42592d5a
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_s390.deb
Size/MD5 checksum: 2716890 7aa32958f3d1631ac8774ce26ed718f0
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_s390.deb
Size/MD5 checksum: 813422 bc2cffe3bcac2ac971d3cbaf7f3e02ea
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_s390.deb
Size/MD5 checksum: 918200 a2d0be567be281c9e6af34fd49c89ec8
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.7e-3sarge1_sparc.deb
Size/MD5 checksum: 2629110 35c2e695c12fd379bfa100347f0641b2
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.7_0.9.7e-3sarge1_sparc.deb
Size/MD5 checksum: 1883990 b432d0bfa5408215a68fc3260e5c3f4a
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.7e-3sarge1_sparc.deb
Size/MD5 checksum: 924138 203d2f9a8068fb193a72d610df41f045
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDb6WYW5ql+IAeqTIRAndKAKCY/Z75nPw5qoUyYOxpZJ+ZIDILGgCdG7Ax
lDSy3Jp+mIrO7gTkO6Tu9os=
=GJdK
-----END PGP SIGNATURE-----