Hello all, According to the following USN I simply need to do a standard system upgrade. I did an "apt-get update; apt-get upgrade" but did not get the openssl-blacklist package. I had to do a separate "apt-get install openssl-blacklist" to get this package on Ubuntu 6.06 LTS. Which sources do I need to have listed in my /etc/apt/sources.list to be able to do a standard "apt-get upgrade" to get this package. I want to make sure that I have the required minimum sources listed to get such security packages.
Thanks in advance Ganesh On Wed, May 21, 2008 at 11:31 AM, Jamie Strandboge <[EMAIL PROTECTED]> wrote: > =========================================================== > Ubuntu Security Notice USN-612-8 May 21, 2008 > openssl-blacklist update > http://www.ubuntu.com/usn/usn-612-1 > http://www.ubuntu.com/usn/usn-612-3 > =========================================================== > > A security issue affects the following Ubuntu releases: > > Ubuntu 6.06 LTS > Ubuntu 7.04 > Ubuntu 7.10 > Ubuntu 8.04 LTS > > This advisory also applies to the corresponding versions of > Kubuntu, Edubuntu, and Xubuntu. > > The problem can be corrected by upgrading your system to the > following package versions: > > Ubuntu 6.06 LTS: > openssl-blacklist 0.1-0ubuntu0.6.06.1 > > Ubuntu 7.04: > openssl-blacklist 0.1-0ubuntu0.7.04.4 > > Ubuntu 7.10: > openssl-blacklist 0.1-0ubuntu0.7.10.4 > > Ubuntu 8.04 LTS: > openssl-blacklist 0.1-0ubuntu0.8.04.4 > > In general, a standard system upgrade is sufficient to effect the > necessary changes. > > Details follow: > > USN-612-3 addressed a weakness in OpenSSL certificate and key > generation in OpenVPN by introducing openssl-blacklist to aid in > detecting vulnerable private keys. This update enhances the > openssl-vulnkey tool to check X.509 certificates as well, and > provides the corresponding update for Ubuntu 6.06. While the > OpenSSL in Ubuntu 6.06 was not vulnerable, openssl-blacklist is > now provided for Ubuntu 6.06 for checking certificates and keys > that may have been imported on these systems. > > This update also includes the complete RSA-1024 and RSA-2048 > blacklists for all Ubuntu architectures, as well as support for > other future blacklists for non-standard bit lengths. > > You can check for weak SSL/TLS certificates by installing > openssl-blacklist via your package manager, and using the > openssl-vulnkey command. > > $ openssl-vulnkey /path/to/certificate_or_key > > This command can be used on public certificates and private keys > for any X.509 certificate or RSA key, including ones for web > servers, mail servers, OpenVPN, and others. If in doubt, destroy > the certificate and key and generate new ones. Please consult the > documentation for your software when recreating SSL/TLS > certificates. Also, if certificates have been generated for use > on other systems, they must be found and replaced as well. > > Original advisory details: > > A weakness has been discovered in the random number generator used > by OpenSSL on Debian and Ubuntu systems. As a result of this > weakness, certain encryption keys are much more common than they > should be, such that an attacker could guess the key through a > brute-force attack given minimal knowledge of the system. This > particularly affects the use of encryption keys in OpenSSH, OpenVPN > and SSL certificates. > > > Updated packages for Ubuntu 6.06 LTS: > > Source archives: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.dsc > Size/MD5: 548 b437e5037437d46ba896cf28be43fa55 > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1.tar.gz > Size/MD5: 8998682 154e882671f25f5ef5a100ef2709cd4e > > Architecture independent packages: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.6.06.1_all.deb > Size/MD5: 4235438 b78f5861f72699f7699e3f60d7e7d235 > > Updated packages for Ubuntu 7.04: > > Source archives: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.dsc > Size/MD5: 600 8045fc0b37070b448b00123c395af0fd > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4.tar.gz > Size/MD5: 8999060 4a23e360873f70d978401837a5a1a462 > > Architecture independent packages: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.4_all.deb > Size/MD5: 4236958 7ec420cb408154facae641776ac1aeaf > > Updated packages for Ubuntu 7.10: > > Source archives: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.dsc > Size/MD5: 600 e484758b7e017b511fc34eff1878a2eb > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4.tar.gz > Size/MD5: 8999062 1f59fe1ae585543431a58f050cb8fe46 > > Architecture independent packages: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.4_all.deb > Size/MD5: 4237110 8451e9872b23fc0f73ef16f384d4dddb > > Updated packages for Ubuntu 8.04 LTS: > > Source archives: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.dsc > Size/MD5: 600 78f29ecb3d69baf5f529f15a06c41cf4 > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4.tar.gz > Size/MD5: 8999068 d67755ccd109508c460a4a3a830d699d > > Architecture independent packages: > > > http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.4_all.deb > Size/MD5: 4236630 36f5d84a1cff08e86a6b1646565245e6 > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFINE5hW0JvuRdL8BoRAtJSAJ9axmJSnMH84okf6LJssr4s0VSydwCfcl+j > PcRD8A4wCh5TOrYVIrHwqzY= > =GlmK > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- Ganeshram Iyer Open Source and CAD: http://ossandcad.blogspot.com [EMAIL PROTECTED]
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
