[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1888-1] New openssl packages deprecate MD2 hash signatures

Would you remove Justin Bellmor from your email list. Justin passed away last month after suffering a major brain bleed in July. 

Thank you

Russell Bellmor
Justin's Dad


--
Justin Bellmor
Computer Science Undergraduate @ Georgia Institute of Technology
justin@bellmor.com | justin@gtisc.gatech.edu
770-265-3587

On Sep 15, 2009, at 5:37 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --- --------------------------------------------------------------------- 
Debian Security Advisory DSA-1888-1                  security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff 
September 15, 2009                    http://www.debian.org/security/faq
- --- --------------------------------------------------------------------- 

Package        : openssl, openssl097
Vulnerability  : cryptographic weakness
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-2409
Certificates with MD2 hash signatures are no longer accepted by OpenSSL, 
since they're no longer considered cryptographically secure.

For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny5.

For the old stable distribution (etch), this problem has been fixed in
version 0.9.8c-4etch9 for openssl and version 0.9.7k-3.1etch5 for
openssl097.
The OpenSSL 0.9.8 update for oldstable (etch) also provides updated
packages for multiple denial of service vulnerabilities in the
Datagram Transport Layer Security implementation. These fixes were
already provided for Debian stable (Lenny) in a previous point
update. The OpenSSL 0.9.7 package from oldstable (Etch) is not
affected. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379,
CVE-2009-1386 and CVE-2009-1387)

For the unstable distribution (sid), this problem has been fixed in
version 0.9.8k-5.

We recommend that you upgrade your openssl packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. 

Source archives:

 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.dsc
   Size/MD5 checksum:     1417 cfeda0aa5b691a5745475692c5d95023
 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch5.diff.gz
   Size/MD5 checksum:    35983 d36ced1a9b6bc9fb473142df040a06d6
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.dsc
   Size/MD5 checksum:     1455 853078a1ba61d986d0862b7052e6a47b
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
   Size/MD5 checksum:  3313857 78454bec556bcb4c45129428a766c886
 http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
   Size/MD5 checksum:  3292692 be6bba1d67b26eabb48cf1774925416f
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9.diff.gz
   Size/MD5 checksum:    59037 1d168f6505755d3d5b2cc5c8dfc4a314

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_alpha.deb
   Size/MD5 checksum:  2623244 6d978b3c3271793c8e7af4805335186c
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_alpha.deb
   Size/MD5 checksum:  2209790 7b1bd54453a93ae2b20d25abf8e0187a
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_alpha.deb
   Size/MD5 checksum:  2556932 aff297a5754a34193d35e1e7bb1de5e5
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_alpha.deb
   Size/MD5 checksum:  3822402 2d51057194c55709f258303f9eb5634d
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_alpha.deb
   Size/MD5 checksum:  1015184 1a7ee5f6d57cc91aaee2df7efbed7e03
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_alpha.deb
   Size/MD5 checksum:  4561710 6e24f6d818c1c6e791f3b457e9d025cd
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_alpha.udeb
   Size/MD5 checksum:   677314 840e921e5eb158208331c1eb4e546453

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_amd64.deb
   Size/MD5 checksum:  2188696 730e51554bee77b38922ab4968f7bd8f
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_amd64.deb
   Size/MD5 checksum:   891856 373b14c8d5d44eba8e2a704d29621e4e
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_amd64.deb
   Size/MD5 checksum:  1328748 32e707b77f010c26690d0d170b3b8c71
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_amd64.deb
   Size/MD5 checksum:  1655940 94723e6134595ff2a407ab3cb99c24c9
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_amd64.udeb
   Size/MD5 checksum:   580330 d98c62ccbd82164d39df6366fa654308
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_amd64.deb
   Size/MD5 checksum:   755234 7165fcc39018915a7e3c777af0577305
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_amd64.deb
   Size/MD5 checksum:  1017888 fe9448a60c33599b868d17865789e2cc

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_arm.deb
   Size/MD5 checksum:  1010856 09a084ee052c3fdc4dc143a9b490e6e2
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_arm.deb
   Size/MD5 checksum:  1540164 dfc8a72eba408506cf5e26d54f5d7279
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_arm.deb
   Size/MD5 checksum:  2048878 df31a9c9a6ddf22c72ecf29ccf1b1717
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_arm.udeb
   Size/MD5 checksum:   516754 ee398a3bdd932297310166de7ce28739
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_arm.deb
   Size/MD5 checksum:   672672 78b6e01942db91439d49cfa0a317b549
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_arm.deb
   Size/MD5 checksum:  1230262 af62aacfce4e19ce641cc532bd51545a
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_arm.deb
   Size/MD5 checksum:   804254 0fb9c58ac33f4009c5dafa3feb240b13

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_hppa.deb
   Size/MD5 checksum:  1028976 a31e8c423d6b372a66bdf1a8e869ea13
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_hppa.deb
   Size/MD5 checksum:  1275094 e1f8d6e9288ea8e83838cf5aee245709
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_hppa.udeb
   Size/MD5 checksum:   631474 c3c31809d2957e0936722f031324dcab
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_hppa.deb
   Size/MD5 checksum:  2251788 2a1efa87bbda28aeec06808a5f75799d
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_hppa.deb
   Size/MD5 checksum:  1585738 5d27d5d0a93266568a3d47d57a918fd1
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_hppa.deb
   Size/MD5 checksum:   794096 8da69cd67e4e99b4b1fcd2c7b9ce60b8
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_hppa.deb
   Size/MD5 checksum:   945942 93743a8199b6091d3675dd19136fefe0

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_i386.deb
   Size/MD5 checksum:  1015854 3d55c6714377dd3f880ca00d5fd33d8f
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_i386.deb
   Size/MD5 checksum:  5584118 8474aecd2a5a9289eea1543701637b7b
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_i386.deb
   Size/MD5 checksum:  2094906 f47d4add189e6054063d6e4ef0ed9f53
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_i386.deb
   Size/MD5 checksum:  2285698 ba20a1691c95172c7e6e65d2edd6b734
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_i386.deb
   Size/MD5 checksum:  4646064 ea07573ce039d1f70cc3217af3976a5a
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_i386.deb
   Size/MD5 checksum:  2721748 90224715a47b6a5a4b9cbc73aa5e4194

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_ia64.deb
   Size/MD5 checksum:  1071422 eacef698406ad3ee5b2869fbf278b282
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_ia64.deb
   Size/MD5 checksum:  2594594 e6b7552444f3dfa26c142255e4fb4dbb
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_ia64.deb
   Size/MD5 checksum:  1263766 519bd736295e4243ba2a8999cc461f64
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_ia64.deb
   Size/MD5 checksum:  1010298 e183563e65de671bf1b712d7f0008572
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_ia64.deb
   Size/MD5 checksum:  1192868 b2896f6d0056cb31cb6b18778328f8d8
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_ia64.udeb
   Size/MD5 checksum:   801820 e8a2bc842a7f30df0f3ac051c7931206
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_ia64.deb
   Size/MD5 checksum:  1570120 715a266df73ca20b088f89a37360c2bb

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_mips.deb
   Size/MD5 checksum:  1004038 6ba64dcdfbe17e9dab35140704a3a631
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_mips.deb
   Size/MD5 checksum:  1352542 b04ccbce03f8733826da59b88679c271
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_mips.deb
   Size/MD5 checksum:   876374 88d019182c4708cb9f562ad50356ece4
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_mips.deb
   Size/MD5 checksum:   729468 8df90f5763fe490802d08cfda48dde8e
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_mips.udeb
   Size/MD5 checksum:   580262 e6b1048861355c2a72924d62e0152c48
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_mips.deb
   Size/MD5 checksum:  2262814 c2a4ffc36ee22524a10f39905ec9dac6
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_mips.deb
   Size/MD5 checksum:  1694148 0f92ff6fe6fc6ec1ea4b6821648ad873

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_mipsel.udeb
   Size/MD5 checksum:   566398 fa9c98d666f14ead8042307148559e03
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_mipsel.deb
   Size/MD5 checksum:   861324 227e99525d3774aab4ed35823b364e85
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_mipsel.deb
   Size/MD5 checksum:   993194 f6a3a9fbe33f3a24e620385c880fe650
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_mipsel.deb
   Size/MD5 checksum:  1317494 62604b0e8b4714fe4d145367c3ef8050
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_mipsel.deb
   Size/MD5 checksum:  2256056 ace9c8fbf8fd421e3bdf971766e97e47
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_mipsel.deb
   Size/MD5 checksum:   719118 83dd2eab20361e439e1a1ca72e8767e0
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_mipsel.deb
   Size/MD5 checksum:  1650408 383c6d1723b8756b28bbcd20fb48a6ad

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_powerpc.deb
   Size/MD5 checksum:  1382230 d08c48c0913f539b576c4fabf24d7402
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_powerpc.deb
   Size/MD5 checksum:  1002488 bed65e465132b21a1b3577ee598167a7
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_powerpc.deb
   Size/MD5 checksum:  2211326 283092faadbe1ef87aa0c35c6de9b0ee
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_powerpc.deb
   Size/MD5 checksum:   743636 6e49d29dd51372e785861e3f33992de1
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_powerpc.deb
   Size/MD5 checksum:   896036 4edadfc436e1241752859fe4c9793261
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_powerpc.udeb
   Size/MD5 checksum:   585388 7e01ecdd6091bea567b061cad15884d5
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_powerpc.deb
   Size/MD5 checksum:  1728586 f0ab004883e95bc0500589d052b63e32

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_s390.deb
   Size/MD5 checksum:   952152 67707818bd7d67babb987d93a55d903b
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_s390.udeb
   Size/MD5 checksum:   643206 a81bd94114398120cbf6b83eb054cbca
 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_s390.deb
   Size/MD5 checksum:  2194170 faed7fc6f392c4de78e437e0d27e60ec
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_s390.deb
   Size/MD5 checksum:   794488 23fd96112753232253190a3774d8e185
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_s390.deb
   Size/MD5 checksum:  1317124 df4942650c247c5abb6b0ea8f291f2da
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_s390.deb
   Size/MD5 checksum:  1014770 0fa727a30ca7e9b7d6471b4b4ffb53a5
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_s390.deb
   Size/MD5 checksum:  1633656 76a770e4d783d01971f71c7f392953aa

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch9_sparc.deb
   Size/MD5 checksum:  2111766 ff845ccd3590e33849efed2accb6a06b
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch9_sparc.deb
   Size/MD5 checksum:  4090916 c8fcd70975280474ae2a92b78cc8d186
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch9_sparc.deb
   Size/MD5 checksum:  1020848 454f299a89fa6c5d3a56ed67af873071
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch5_sparc.deb
   Size/MD5 checksum:  3417770 709ae247e0dbcee41656dabc79740471
 http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch5_sparc.deb
   Size/MD5 checksum:  1800060 6c6400623dc52a1e2be77a7b7d45658e
 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch9_sparc.deb
   Size/MD5 checksum:  2126592 515b45a886c700c951206f9812a0d775
 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch9_sparc.udeb
   Size/MD5 checksum:   539090 ebdf1e6a431363d3cb0280fb73092631


Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. 

Source archives:

 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny5.dsc
   Size/MD5 checksum:     1972 dd98f13a10c81fdf68ad1a81fa80a659
 http://security.debian.org/pool/updates/main/o/openssl/openssl_0
Reply to: