Bluewhite64 Linux: [bluewhite64-security] openssl (BW64SA:20090116-01)

Welcome

Be cool!

Linux, Bluewhite64 Linux T-shirts, Wall Clocks, Mugs, Hats, Bags

Buy Bluewhite64 DVDs
(USA Store)

Custom Search

RSS Feeds

Our news can be syndicated by using these rss feeds.

Latest Forum Posts

Posted by charlie
Updated the function: bw () { #Enter your [more ...]
24 Aug : 03:21

Posted by darshin
As we all know, ZFS is by far the best file system.People ha [more ...]
20 Aug : 16:17

Posted by charlie
Bluewhite64 should add something more than what Slackware64 [more ...]
26 Jul : 23:05

Posted by tpreitzel
Well, if we do see a new version of Bluewhite64, Arny is kee [more ...]
25 May : 23:19

Posted by Diver
Hello.I compiled KDE-4.4.3 with the help of Alien's scripts [more ...]
25 May : 21:35

Posted by /dev/twisted
I sure hope he does, I really like BW.I check this forum eve [more ...]
25 May : 08:48

Posted by Diver
Slackware-13.1 is out! )Can we hope to see the new version o [more ...]
25 May : 08:39

Posted by Kenjiro Tanaka
Eric/alienbob,I am really sorry. I really thought (before re [more ...]
29 Apr : 23:20

Posted by alienbob
Kenjiro,Thanks for finally giving public credit to the sourc [more ...]
29 Apr : 22:37

Posted by Kenjiro Tanaka
Hello there.Diver, my last two builds (kde-4.4.1 and kde-4.4 [more ...]
28 Apr : 15:04

[bluewhite64-security] openssl (BW64SA:20090116-01)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[bluewhite64-security] openssl (BW64SA:20090116-01)

New openssl packages are available for Bluewhite64 11.0, 12.0, 12.1, 12.2,
and -current to fix a security issue when connecting to an SSL/TLS server
that uses a certificate containing a DSA or ECDSA key.

More details about this issue may be found here:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077

Here are the details from the Bluewhite64 12.2 ChangeLog:
+--------------------------+
PATCHES/packages/openssl-0.9.8i-x86_64-2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed
signatures from being considered good. This flaw could possibly allow a
'man in the middle' attack.
For more information, see:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
[*** Security fix ***]
PATCHES/packages/openssl-solibs-0.9.8i-x86_64-2.tgz:
Patched to fix the return value EVP_VerifyFinal, preventing malformed
signatures from being considered good. This flaw could possibly allow a
'man in the middle' attack.
For more information, see:
http://www.openssl.org/news/secadv_20090107.txt
http://www.ocert.org/advisories/ocert-2008-016.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
[*** Security fix ***]
+--------------------------+

Where to find the new packages:
+-----------------------------+
Updated package for Bluewhite64 11.0:
http://data.bluewhite64.com/bluewhite64-11.0/patches/packages/openssl-0.9.8h-x86_64-2.tgz
http://data.bluewhite64.com/bluewhite64-11.0/patches/packages/openssl-solibs-0.9.8h-x86_64-2.tgz

Updated package for Bluewhite64 12.0:
http://data.bluewhite64.com/bluewhite64-12.0/patches/packages/openssl-0.9.8h-x86_64-2.tgz
http://data.bluewhite64.com/bluewhite64-12.0/patches/packages/openssl-solibs-0.9.8h-x86_64-2.tgz

Updated package for Bluewhite64 12.1:
http://data.bluewhite64.com/bluewhite64-12.1/patches/packages/openssl-0.9.8h-x86_64-2.tgz
http://data.bluewhite64.com/bluewhite64-12.1/patches/packages/openssl-solibs-0.9.8h-x86_64-2.tgz

Updated package for Bluewhite64 12.2:
http://data.bluewhite64.com/bluewhite64-12.2/patches/packages/openssl-0.9.8i-x86_64-2.tgz
http://data.bluewhite64.com/bluewhite64-12.2/patches/packages/openssl-solibs-0.9.8i-x86_64-2.tgz

Updated package for Bluewhite64 -current:
http://data.bluewhite64.com/bluewhite64-current/bluewhite64/n/openssl-0.9.8i-x86_64-2.tgz
http://data.bluewhite64.com/bluewhite64-current/bluewhite64/a/openssl-solibs-0.9.8i-x86_64-2.tgz

MD5 signatures:
+-------------+
Bluewhite64 11.0 package:
c2ac327226b8ab6cbb242f57b407e60f openssl-0.9.8h-x86_64-2.tgz
d55f889cd9fdb7ecef3c72f52583fa14 openssl-solibs-0.9.8h-x86_64-2.tgz

Bluewhite64 12.0 package:
6e7a88145df8e3c82d80e42f3f5743e4 openssl-0.9.8h-x86_64-2.tgz
1163d24508e77a4f12cdfa690d7ebc5e openssl-solibs-0.9.8h-x86_64-2.tgz

Bluewhite64 12.1 package:
238e218667a9f0e39212401cac40117d openssl-0.9.8h-x86_64-2.tgz
58875816797f2d75f9a7f5ee7b3aecfb openssl-solibs-0.9.8h-x86_64-2.tgz

Bluewhite64 12.2 package:
ce2610a438e8c012a04c340393e539e9 openssl-0.9.8i-x86_64-2.tgz
1745f832fb0205bdd06e620fa6dbac89 openssl-solibs-0.9.8i-x86_64-2.tgz

Bluewhite64 -current package:
ce2610a438e8c012a04c340393e539e9 openssl-0.9.8i-x86_64-2.tgz
1745f832fb0205bdd06e620fa6dbac89 openssl-solibs-0.9.8i-x86_64-2.tgz

Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg openssl-0.9.8i-x86_64-2.tgz openssl-solibs-0.9.8i-x86_64-2.tgz

+-----+
Bluewhite64 Linux Security Team
http://bluewhite64.com/gpg-key

security©bluewhite64.com

+-------------------------------------------------------+
| To leave the bluewhite64-security mailing list:
+-------------------------------------------------------+
| Send a blank email to
|
| bluewhite64-security-unsubscribe©bluewhite64.com
|
| You will get a confirmation message back containing
| instructions to complete the process.
|
| Please do not reply to this email address.
+--------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklw7eQACgkQpTOsxuDdlY7+0QCfXw0eLzwzs/RFj6s3UNBwannu
ofQAn3oD3SpH/t74hGzF/ye3QA0hqVK2
=7za0
-----END PGP SIGNATURE-----