[CentOS] CentOS-announce Digest, Vol 39, Issue 7

Fri May 16 12:00:13 UTC 2008
centos-announce-request at centos.org <centos-announce-request at centos.org>

Send CentOS-announce mailing list submissions to
	centos-announce at centos.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.centos.org/mailman/listinfo/centos-announce
or, via email, send a message with subject or body 'help' to
	centos-announce-request at centos.org

You can reach the person managing the list at
	centos-announce-owner at centos.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of CentOS-announce digest..."


Today's Topics:

   1. CESA-2008:0270 Important CentOS 4 x86_64	libvorbis Update
      (Johnny Hughes)
   2. CESA-2008:0270 Important CentOS 4 i386 libvorbis	Update
      (Johnny Hughes)
   3. Impact of the Debian OpenSSL vulnerability (Daniel de Kok)
   4. CESA-2008:0194 Important CentOS 5 x86_64 xen	Update
      (Karanbir Singh)
   5. CESA-2008:0194 Important CentOS 5 i386 xen Update (Karanbir Singh)
   6. CESA-2008:0271-01: Important CentOS 2 i386	libvorbis security
      update (John Newbigin)


----------------------------------------------------------------------

Message: 1
Date: Thu, 15 May 2008 09:10:59 -0500
From: Johnny Hughes <johnny at centos.org>
Subject: [CentOS-announce] CESA-2008:0270 Important CentOS 4 x86_64
	libvorbis Update
To: CentOS-Announce <centos-announce at centos.org>
Message-ID: <482C4473.4080808 at centos.org>
Content-Type: text/plain; charset="iso-8859-1"

CentOS Errata and Security Advisory 2008:0270 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html

The following updated files have been uploaded and are currently
syncing to the mirrors:

x86_64:
libvorbis-1.1.0-3.el4_6.1.i386.rpm
libvorbis-1.1.0-3.el4_6.1.x86_64.rpm
libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm

src:
libvorbis-1.1.0-3.el4_6.1.src.rpm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos-announce/attachments/20080515/0eaba780/signature-0001.bin

------------------------------

Message: 2
Date: Thu, 15 May 2008 09:11:13 -0500
From: Johnny Hughes <johnny at centos.org>
Subject: [CentOS-announce] CESA-2008:0270 Important CentOS 4 i386
	libvorbis	Update
To: CentOS-Announce <centos-announce at centos.org>
Message-ID: <482C4481.8010103 at centos.org>
Content-Type: text/plain; charset="iso-8859-1"

CentOS Errata and Security Advisory 2008:0270 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html

The following updated files have been uploaded and are currently
syncing to the mirrors:

i386:
libvorbis-1.1.0-3.el4_6.1.i386.rpm
libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm

src:
libvorbis-1.1.0-3.el4_6.1.src.rpm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.centos.org/pipermail/centos-announce/attachments/20080515/b7abcdb5/signature-0001.bin

------------------------------

Message: 3
Date: Thu, 15 May 2008 20:08:39 +0200
From: "Daniel de Kok" <daniel at centos.org>
Subject: [CentOS-announce] Impact of the Debian OpenSSL vulnerability
To: centos-announce at centos.org
Message-ID:
	<30f19d040805151108k1d2c62b0r2ecdccce3d425ab2 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

A severe vulnerability was found in the random number generator (RNG)
of the Debian OpenSSL package, starting with version 0.9.8c-1 (and
similar packages in derived distributions such as Ubuntu). While this
bug is not present in the OpenSSL packages provided by CentOS, it may
still affect CentOS users.

The bug barred the OpenSSL random number generator from gaining enough
entropy required for generating unpredicatable keys. In fact it
appearss that the only source for entropy was the process ID of the
process generating a key, which is chosen from a very small range and
is predictable. As such, all keys generated using the Debian OpenSSL
library should be considered compromized. Programs that use OpenSSL
include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use
OpenSSL, so they are not affected.

This vulnerability can affect CentOS machines through the use of keys
that were generated with the OpenSSL package from Debian. For
instance, if a user uses OpenSSH public key authentication to log on
to a CentOS server, and this user generated the key pair with a
vulnerable OpenSSL library, the server is at heavy risk because the
key can be reproduced easily.

Additionally, all (good) DSA keys that were ever used on a vulnerable
Debian machine for signing or authentication should also be considered
compromized due to a known attack on DSA keys.

As a result of this bug, everyone should audit *every* key or
cerficicate that was generated with OpenSSL, to trace its origin and
make sure that it was not generated with a vulnerable Debian OpenSSL
package. Or in the case of DSA keys care should be taken that they
were not generated or used on a system with a vulnerable OpenSSL
package. Keys that are potentially compromised should be replaced with
strong keys.

The Debian Wiki[2] has a preliminary list of affected application. A
tool to detect potentially weak keys is also provided, but it contains
an incomplete list of affected keys and can give false positives.

The Metasploit project provides a full list of weak keys in various
configurations[3].

Questions on how this may affect CentOS users should be directed to
the CentOS users list. List subscription information is available
from:

http://lists.centos.org/mailman/listinfo/centos

With kind regards,
The CentOS Team

[1] http://www.debian.org/security/2008/dsa-1571
[2] http://wiki.debian.org/SSLkeys
[3] http://metasploit.com/users/hdm/tools/debian-openssl/


------------------------------

Message: 4
Date: Fri, 16 May 2008 02:20:09 +0100
From: Karanbir Singh <kbsingh at centos.org>
Subject: [CentOS-announce] CESA-2008:0194 Important CentOS 5 x86_64
	xen	Update
To: centos-announce at centos.org
Message-ID: <20080516012009.GA1449 at base.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2008:0194 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0194.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

x86_64:
c7f5f0b8fc0ded6a071c537ab490edff  xen-3.0.3-41.el5_1.5.x86_64.rpm
af6fb05cfebd799f9071cc3e83f561c1  xen-devel-3.0.3-41.el5_1.5.i386.rpm
3b697c6fdc46dbd2e939da6a334c9220  xen-devel-3.0.3-41.el5_1.5.x86_64.rpm
bc77d399eb72833ed5ca4dcfffe599e0  xen-libs-3.0.3-41.el5_1.5.i386.rpm
9662e7449f8a764cc022f6110a8def5a  xen-libs-3.0.3-41.el5_1.5.x86_64.rpm

Source:
32a42dbc51a00c12719ae6c5405439b1  xen-3.0.3-41.el5_1.5.src.rpm


-- 
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos at irc.freenode.net



------------------------------

Message: 5
Date: Fri, 16 May 2008 02:20:08 +0100
From: Karanbir Singh <kbsingh at centos.org>
Subject: [CentOS-announce] CESA-2008:0194 Important CentOS 5 i386 xen
	Update
To: centos-announce at centos.org
Message-ID: <20080516012008.GA1435 at base.karan.org>
Content-Type: text/plain; charset=us-ascii


CentOS Errata and Security Advisory 2008:0194 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0194.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( md5sum Filename ) 

i386:
895491c081517cb49e65fdcc73b11291  xen-3.0.3-41.el5_1.5.i386.rpm
fca59354c0adf82110f6b647681aea80  xen-devel-3.0.3-41.el5_1.5.i386.rpm
574f651c259c429ceddc4b8ef2d8eb95  xen-libs-3.0.3-41.el5_1.5.i386.rpm

Source:
32a42dbc51a00c12719ae6c5405439b1  xen-3.0.3-41.el5_1.5.src.rpm


-- 
Karanbir Singh
CentOS Project { http://www.centos.org/ }
irc: z00dax, #centos at irc.freenode.net



------------------------------

Message: 6
Date: Fri, 16 May 2008 13:59:20 +1000
From: John Newbigin <jnewbigin at ict.swin.edu.au>
Subject: [CentOS-announce] CESA-2008:0271-01: Important CentOS 2 i386
	libvorbis security update
To: centos-announce at centos.org
Message-ID: <482D0698.9010402 at ict.swin.edu.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

The following errata for CentOS-2 have been built and uploaded to the
centos mirror:

RHSA-2008:0271-01 Important: libvorbis security update

Files available:
libvorbis-1.0rc2-9.el2.i386.rpm
libvorbis-devel-1.0rc2-9.el2.i386.rpm

More details are available from the RedHat web site at
https://rhn.redhat.com/errata/rh21as-errata.html

The easy way to make sure you are up to date with all the latest patches
is to run:
# yum update

-- 
John Newbigin
ITS Senior Analyst / Programmer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia
http://www.ict.swin.edu.au/staff/jnewbigin










------------------------------

_______________________________________________
CentOS-announce mailing list
CentOS-announce at centos.org
http://lists.centos.org/mailman/listinfo/centos-announce


End of CentOS-announce Digest, Vol 39, Issue 7
**********************************************