VectorLinux
September 01, 2014, 10:40:18 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1]
  Print  
Author Topic: 090117 New openssl packages close security vulnerability [VL 5.8,VL 5.9,VL 6.0]  (Read 3094 times)
caitlyn
Packager
Vectorian
****
Posts: 2874


WWW
« on: January 17, 2009, 05:36:15 pm »

New openssl packages close a known security vulnerability:

Quote
Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error.  This issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS.

One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.

This vulnerability is tracked as CVE-2008-5077.

Details can be found at:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796

New packages for VL 5.9 and VL 5.9.1 are available in the testing repository now and will be moved to patches as soon as we have adequate user feedback.  New VL 6.0 packages will follow shortly.
« Last Edit: January 31, 2009, 02:11:20 pm by caitlyn » Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1
caitlyn
Packager
Vectorian
****
Posts: 2874


WWW
« Reply #1 on: January 31, 2009, 02:09:47 pm »

UPDATE: The new openssl packages are included in Vector Linux Standard 6.0 rc4.  For those running earlier release candidates and development code and for anyone running Vector Linux Light 6.0 beta or alpha code the new packages can be found in the packages repository.

New VL 5.8 packages will be in the repository shortly.
« Last Edit: January 31, 2009, 02:11:43 pm by caitlyn » Logged

eMachines EL-1300G desktop, 1.6GHz AMD Athlon 2650e CPU, 4GB RAM, nVidia GeForce 6150 SE video
CentOS 6.5 (will try VL64-7.1 soon)

Toshiba Satellite A135-S4727,  Intel Pentium T2080 / 1.73 GHz, 2GB RAM, Intel GMA 950

HP Mini 110 netbook, 1.6GHz Intel Atom CPU, 2GB RAM, Intel 950 video, VL 7.1
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!