The following provides a very respectible detail of why we can't install Apache 2.0 mod_ssl with anything less than 0.9.6b. Hope some of you find this interesting or otherwise useful. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -------------------------------------------------------------------------- > CONECTIVA LINUX SECURITY ANNOUNCEMENT > - -------------------------------------------------------------------------- > > PACKAGE : openssl > SUMMARY : Several vulnerabilities in the OpenSSL library > DATE : 2001-08-30 16:11:00 > ID : CLA-2001:418 > RELEVANT > RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0 > > - ------------------------------------------------------------------------- > > DESCRIPTION > OpenSSL is a library providing several crypto and digital certificate > handling functions. > Several vulnerabilities have been addressed in newer versions of this > library: > 1. OpenSSL now avoids using environment variables when running as > root; > 2. The result of RSA-CRT is now checked to reduce the possibility of > deducing the private key from an incorrectly calculated signature; > 3. Changes to prevent Bleichenbacher's DSA attack; > 4. OpenSSL now zeroes the premaster secret after deriving the master > secret in DH ciphersuites; > 5. Fix for a vulnerability in the pseudo random number generator > which allowed an attacker to predict the internal state of the PRNG > and thus predict future PRNG output. > The first four vulnerabilities have been addressed in the 0.9.6a > version of the library and affect Conectiva Linux <= 6.0 only, while > the last one was fixed with the 0.9.6b release and affects Conectiva > Linux 7.0 and earlier. > The packages available through this update have been patched to fix > all these vulnerabilities. Thanks to the OpenSSL team for releasing > the new versions and to Nalin Dahyabhai from Redhat for providing > patches for older versions. > > > SOLUTION > All users should upgrade the OpenSSL library. After the update, > programs which use the library, such as apache and openssh, should be > restarted. > > IMPORTANT: updated packages for Conectiva Linux 4.0 and 4.0es are not > yet available. > > > REFERENCES > 1. http://www.securityfocus.com/bid/3004 > 2. http://www.openssl.org > 3.http://marc.theaimsgroup.com/?l=openssl-announce&m=98655255404174&w=2 > > > DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES > ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/openssl-0.9.5a-2U41_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-devel-0.9.5a-2U41_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/4.1/i386/openssl-0.9.5a-2U41_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/openssl-0.9.5a-2U42_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-devel-0.9.5a-2U42_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/4.2/i386/openssl-0.9.5a-2U42_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/5.0/i386/openssl-0.9.5a-2U50_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/openssl-0.9.5a-2U51_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-0.9.5a-2U51_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/5.1/i386/openssl-devel-0.9.5a-2U51_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-devel-0.9.6-4U60_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssl-0.9.6a-3U70_1cl.src.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-doc-0.9.6a-3U70_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-0.9.6a-3U70_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-0.9.6a-3U70_1cl.i386.rpm > >ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-static-0.9.6a-3U70_1cl.i386.rpm > ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-progs-0.9.6a-3U70_1cl.i386.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/openssl-0.9.5a-2U50_1cl.i386.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/openssl-0.9.5a-2U50_1cl.src.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-devel-0.9.5a-2U50_1cl.i386.rpm > >ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/openssl-0.9.5a-2U50_1cl.i386.rpm > > > ADDITIONAL INSTRUCTIONS > Users of Conectiva Linux version 6.0 or higher may use apt to perform > upgrades of RPM packages: > - add the following line to /etc/apt/sources.list if it is not there yet > (you may also use linuxconf to do this): > > rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates > > (replace 6.0 with the correct version number if you are not running CL6.0) > > - run: apt-get update > - after that, execute: apt-get upgrade > > Detailed instructions reagarding the use of apt and upgrade examples > can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en > > > - ------------------------------------------------------------------------- > All packages are signed with Conectiva's GPG key. The key and instructions > on how to import it can be found at > http://distro.conectiva.com.br/seguranca/chave/?idioma=en > Instructions on how to check the signatures of the RPM packages can be > found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en > - ------------------------------------------------------------------------- > All our advisories and generic update instructions can be viewed at > http://distro.conectiva.com.br/atualizacoes/?idioma=en > > - ------------------------------------------------------------------------- > subscribe: [EMAIL PROTECTED] > unsubscribe: [EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE7jo/542jd0JmAcZARAnaSAJ4po9nPSxpqUCJOg6hDYMriFxO58wCg1e/D > gL56qncwxZrTlKchIhw7MAQ= > =/aX5 > -----END PGP SIGNATURE----- > >
