=========================================================== Ubuntu Security Notice USN-204-1 October 14, 2005 openssl vulnerability CAN-2005-2969 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libssl0.9.7 The problem can be corrected by upgrading the affected package to version 0.9.7d-3ubuntu0.3 (for Ubuntu 4.10), 0.9.7e-3ubuntu0.2 (for Ubuntu 5.04), or 0.9.7g-1ubuntu1.1 (for Ubuntu 5.10). Since the SSL library is used by a lot of server and desktop applications, you should restart your computer after a standard system upgrade to ensure that all programs use the new library. Details follow: Yutaka Oiwa discovered a possible cryptographic weakness in OpenSSL applications. Applications using the OpenSSL library can use the SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL, which implies the former) to maintain compatibility with third party products, which is achieved by working around known bugs in them. The SSL_OP_MSIE_SSLV2_RSA_PADDING option disabled a verification step in the SSL 2.0 server supposed to prevent active protocol-version rollback attacks. With this verification step disabled, an attacker acting as a "man in the middle" could force a client and a server to negotiate the SSL 2.0 protocol even if these parties both supported SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.diff.gz Size/MD5: 26336 8c653140c8bb55141682f61b2c7ee0c4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3.dsc Size/MD5: 636 814be379aed42cf28e5e1714eacb5dea http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d.orig.tar.gz Size/MD5: 2799796 533b7f758325d74c1e01e67994e3ae59 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_amd64.deb Size/MD5: 2676878 d46f388edf90aac95110357c4c7fb41e http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_amd64.deb Size/MD5: 697176 dfb423bccdf95e0251566c86747519ba http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_amd64.deb Size/MD5: 900108 5c62807221f03ec34aafe8753362d1dc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_i386.deb Size/MD5: 2477644 9a6282952a58a0d963ea12dd80626305 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_i386.deb Size/MD5: 2153208 e49463b1a3ae79e586ebf522ed5d5ac1 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_i386.deb Size/MD5: 898780 ab5e0af7e6687f1ed7ad943c2a7edc00 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7d-3ubuntu0.3_powerpc.deb Size/MD5: 2759254 aa0ad1ec7ccdcab984c33f34ae04013d http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7d-3ubuntu0.3_powerpc.deb Size/MD5: 700982 d6bdb5e4c7b427278a5f6dd7115047e4 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7d-3ubuntu0.3_powerpc.deb Size/MD5: 904618 18578a43604449f15794852b32c55c9a Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.diff.gz Size/MD5: 28853 653177acb3126d83a75863fef01f7618 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2.dsc Size/MD5: 645 71ab340d8a9c5e09398fc5cae8b8f3a5 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e.orig.tar.gz Size/MD5: 3043231 a8777164bca38d84e5eb2b1535223474 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_amd64.udeb Size/MD5: 495074 4aee5a5c1ea16cb37e4bd787daa17bb6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_amd64.deb Size/MD5: 2693172 30ced54e4bddae466cc8a636729d4bf6 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_amd64.deb Size/MD5: 769494 bb2132ccc55fe686417fa58fe79366d5 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_amd64.deb Size/MD5: 903540 c38ed2ab04260cc37c861b4714a292e6 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_i386.udeb Size/MD5: 433190 a1d3b3d83038c4867c3bbed914a7799c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_i386.deb Size/MD5: 2492448 1c299b25caad322de3bbff442980d4fe http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_i386.deb Size/MD5: 2240404 fc002998c376102f4afef943e42921d7 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_i386.deb Size/MD5: 900980 d7d18142b2f888fb39c68a535e1797a5 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7e-3ubuntu0.2_powerpc.udeb Size/MD5: 499312 344fa2d38577e134300a6c66b7501ad5 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7e-3ubuntu0.2_powerpc.deb Size/MD5: 2774020 fa61cfb6691efb466d410868bcf70b33 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7e-3ubuntu0.2_powerpc.deb Size/MD5: 779142 8591771370630d0947159f20c66a7844 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7e-3ubuntu0.2_powerpc.deb Size/MD5: 908034 467656d782df126e20d87f28885481f7 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.diff.gz Size/MD5: 29528 17b8067e74c9632969ab30e99ffefc27 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1.dsc Size/MD5: 657 5e3a343c96d5a6b6ce28ea9051b503f3 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g.orig.tar.gz Size/MD5: 3132217 991615f73338a571b6a1be7d74906934 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_amd64.udeb Size/MD5: 498774 e1caefe81d127f3f5c74abe21009d26f http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_amd64.deb Size/MD5: 2699040 46c0e7a3af787950ae94ecf8097e8c70 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_amd64.deb Size/MD5: 773056 efdf763408f1ab9e6ecbe46c2d7daabe http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_amd64.deb Size/MD5: 913184 7d9f78245ce33c1729a5a3ff7a5844fb i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_i386.udeb Size/MD5: 430626 2acb91427d4c850ebde301f7f0deac86 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_i386.deb Size/MD5: 2479668 6296835c4d246c67fc7c8cd38c2ef00c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_i386.deb Size/MD5: 2202870 9d1c03f452c3964ab9bd4054879d48f7 http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_i386.deb Size/MD5: 904328 d6b94a9d5fbeaa792e4bb126930c82e2 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libcrypto0.9.7-udeb_0.9.7g-1ubuntu1.1_powerpc.udeb Size/MD5: 476188 46bbc413275d9954a42abcc518f65a0c http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_0.9.7g-1ubuntu1.1_powerpc.deb Size/MD5: 2655564 8b3f1df5908c9720333095c3755087cb http://security.ubuntu.com/ubuntu/pool/main/o/openssl/libssl0.9.7_0.9.7g-1ubuntu1.1_powerpc.deb Size/MD5: 752528 0f788b91569d512d0c9520a178fdb2fa http://security.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_0.9.7g-1ubuntu1.1_powerpc.deb Size/MD5: 909916 5ad57ad02371aa12f52a94cfcb433835