announce

announce@lists.centos.org

12799 discussions

Impact of the Debian OpenSSL vulnerability
by Daniel de Kok 15 May '08

15 May '08

A severe vulnerability was found in the random number generator (RNG) of the Debian OpenSSL package, starting with version 0.9.8c-1 (and similar packages in derived distributions such as Ubuntu). While this bug is not present in the OpenSSL packages provided by CentOS, it may still affect CentOS users. The bug barred the OpenSSL random number generator from gaining enough entropy required for generating unpredicatable keys. In fact it appearss that the only source for entropy was the process ID of the process generating a key, which is chosen from a very small range and is predictable. As such, all keys generated using the Debian OpenSSL library should be considered compromized. Programs that use OpenSSL include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use OpenSSL, so they are not affected. This vulnerability can affect CentOS machines through the use of keys that were generated with the OpenSSL package from Debian. For instance, if a user uses OpenSSH public key authentication to log on to a CentOS server, and this user generated the key pair with a vulnerable OpenSSL library, the server is at heavy risk because the key can be reproduced easily. Additionally, all (good) DSA keys that were ever used on a vulnerable Debian machine for signing or authentication should also be considered compromized due to a known attack on DSA keys. As a result of this bug, everyone should audit *every* key or cerficicate that was generated with OpenSSL, to trace its origin and make sure that it was not generated with a vulnerable Debian OpenSSL package. Or in the case of DSA keys care should be taken that they were not generated or used on a system with a vulnerable OpenSSL package. Keys that are potentially compromised should be replaced with strong keys. The Debian Wiki[2] has a preliminary list of affected application. A tool to detect potentially weak keys is also provided, but it contains an incomplete list of affected keys and can give false positives. The Metasploit project provides a full list of weak keys in various configurations[3]. Questions on how this may affect CentOS users should be directed to the CentOS users list. List subscription information is available from: http://lists.centos.org/mailman/listinfo/centos With kind regards, The CentOS Team [1] http://www.debian.org/security/2008/dsa-1571 [2] http://wiki.debian.org/SSLkeys [3] http://metasploit.com/users/hdm/tools/debian-openssl/

1 0

CESA-2008:0270 Important CentOS 4 i386 libvorbis Update
by Johnny Hughes 15 May '08

15 May '08

CentOS Errata and Security Advisory 2008:0270 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated files have been uploaded and are currently syncing to the mirrors: i386: libvorbis-1.1.0-3.el4_6.1.i386.rpm libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm src: libvorbis-1.1.0-3.el4_6.1.src.rpm

1 0

CESA-2008:0270 Important CentOS 4 x86_64 libvorbis Update
by Johnny Hughes 15 May '08

15 May '08

CentOS Errata and Security Advisory 2008:0270 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated files have been uploaded and are currently syncing to the mirrors: x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm libvorbis-1.1.0-3.el4_6.1.x86_64.rpm libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm src: libvorbis-1.1.0-3.el4_6.1.src.rpm

1 0

CESA-2008:0270 Important CentOS 3 x86_64 libvorbis - security update
by Tru Huynh 14 May '08

14 May '08

CentOS Errata and Security Advisory CESA-2008:0270 libvorbis security update for CentOS 3 x86_64: https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated file has been uploaded and is currently syncing to the mirrors: x86_64: updates/x86_64/RPMS/libvorbis-1.0-10.el3.i386.rpm updates/x86_64/RPMS/libvorbis-1.0-10.el3.x86_64.rpm updates/x86_64/RPMS/libvorbis-devel-1.0-10.el3.x86_64.rpm source: updates/SRPMS/libvorbis-1.0-10.el3.src.rpm You may update your CentOS-3 x86_64 installations by running the command: yum update libvorbis\* Tru -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B

1 0

CESA-2008:0270 Important CentOS 3 i386 libvorbis - security update
by Tru Huynh 14 May '08

14 May '08

CentOS Errata and Security Advisory CESA-2008:0270 libvorbis security update for CentOS 3 i386: https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated file has been uploaded and is currently syncing to the mirrors: i386: updates/i386/RPMS/libvorbis-1.0-10.el3.i386.rpm updates/i386/RPMS/libvorbis-devel-1.0-10.el3.i386.rpm source: updates/SRPMS/libvorbis-1.0-10.el3.src.rpm You may update your CentOS-3 i386 installations by running the command: yum update libvorbis\* Tru -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B

1 0

CESA-2008:0262 Important CentOS 4 s390(x) gpdf - security update
by Pasi Pirhonen 11 May '08

11 May '08

CentOS Errata and Security Advisory 2008:0262 https://rhn.redhat.com/errata/RHSA-2008-0262.html The following updated files have been uploaded and are currently syncing to the mirrors: s390: updates/s390/RPMS/gpdf-2.8.2-7.7.2.s390.rpm s390x: updates/s390x/RPMS/gpdf-2.8.2-7.7.2.s390x.rpm -- Pasi Pirhonen - upi(a)iki.fi - http://pasi.pirhonen.eu/ Top-postings silently ignored

1 0

CESA-2008:0224 Moderate CentOS 4 s390(x) thunderbird - security update
by Pasi Pirhonen 11 May '08

11 May '08

CentOS Errata and Security Advisory 2008:0224 https://rhn.redhat.com/errata/RHSA-2008-0224.html The following updated files have been uploaded and are currently syncing to the mirrors: s390: updates/s390/RPMS/thunderbird-1.5.0.12-11.el4.centos.s390.rpm s390x: updates/s390x/RPMS/thunderbird-1.5.0.12-11.el4.centos.s390x.rpm -- Pasi Pirhonen - upi(a)iki.fi - http://pasi.pirhonen.eu/ Top-postings silently ignored

1 0

CESA-2008:0237 Important CentOS 4 s390(x) kernel - security update
by Pasi Pirhonen 10 May '08

10 May '08

CentOS Errata and Security Advisory 2008:0237 https://rhn.redhat.com/errata/RHSA-2008-0237.html The following updated files have been uploaded and are currently syncing to the mirrors: s390: updates/s390/RPMS/kernel-2.6.9-67.0.15.EL.s390.rpm updates/s390/RPMS/kernel-devel-2.6.9-67.0.15.EL.s390.rpm s390x: updates/s390x/RPMS/kernel-2.6.9-67.0.15.EL.s390x.rpm updates/s390x/RPMS/kernel-devel-2.6.9-67.0.15.EL.s390x.rpm -- Pasi Pirhonen - upi(a)iki.fi - http://pasi.pirhonen.eu/ Top-postings silently ignored

1 0

CESA-2008:0211 Important CentOS 3 s390(x) kernel - security update
by Pasi Pirhonen 10 May '08

10 May '08

CentOS Errata and Security Advisory 2008:0211 https://rhn.redhat.com/errata/RHSA-2008-0211.html The following updated files have been uploaded and are currently syncing to the mirrors: s390: updates/s390/RPMS/kernel-2.4.21-57.EL.s390.rpm updates/s390/RPMS/kernel-doc-2.4.21-57.EL.s390.rpm updates/s390/RPMS/kernel-source-2.4.21-57.EL.s390.rpm updates/s390/RPMS/kernel-unsupported-2.4.21-57.EL.s390.rpm s390x: updates/s390x/RPMS/kernel-2.4.21-57.EL.s390x.rpm updates/s390x/RPMS/kernel-doc-2.4.21-57.EL.s390x.rpm updates/s390x/RPMS/kernel-source-2.4.21-57.EL.s390x.rpm updates/s390x/RPMS/kernel-unsupported-2.4.21-57.EL.s390x.rpm -- Pasi Pirhonen - upi(a)iki.fi - http://pasi.pirhonen.eu/ Top-postings silently ignored

1 0

CESA-2008:0262 Important CentOS 4 ia64 gpdf - security update
by Pasi Pirhonen 10 May '08

10 May '08

CentOS Errata and Security Advisory 2008:0262 https://rhn.redhat.com/errata/RHSA-2008-0262.html The following updated files have been uploaded and are currently syncing to the mirrors: ia64: updates/ia64/RPMS/gpdf-2.8.2-7.7.2.ia64.rpm -- Pasi Pirhonen - upi(a)iki.fi - http://pasi.pirhonen.eu/ Top-postings silently ignored

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

announce