Send CentOS-announce mailing list submissions to centos-announce at centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request at centos.org You can reach the person managing the list at centos-announce-owner at centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CESA-2008:0270 Important CentOS 4 x86_64 libvorbis Update (Johnny Hughes) 2. CESA-2008:0270 Important CentOS 4 i386 libvorbis Update (Johnny Hughes) 3. Impact of the Debian OpenSSL vulnerability (Daniel de Kok) 4. CESA-2008:0194 Important CentOS 5 x86_64 xen Update (Karanbir Singh) 5. CESA-2008:0194 Important CentOS 5 i386 xen Update (Karanbir Singh) 6. CESA-2008:0271-01: Important CentOS 2 i386 libvorbis security update (John Newbigin) ---------------------------------------------------------------------- Message: 1 Date: Thu, 15 May 2008 09:10:59 -0500 From: Johnny Hughes <johnny at centos.org> Subject: [CentOS-announce] CESA-2008:0270 Important CentOS 4 x86_64 libvorbis Update To: CentOS-Announce <centos-announce at centos.org> Message-ID: <482C4473.4080808 at centos.org> Content-Type: text/plain; charset="iso-8859-1" CentOS Errata and Security Advisory 2008:0270 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated files have been uploaded and are currently syncing to the mirrors: x86_64: libvorbis-1.1.0-3.el4_6.1.i386.rpm libvorbis-1.1.0-3.el4_6.1.x86_64.rpm libvorbis-devel-1.1.0-3.el4_6.1.x86_64.rpm src: libvorbis-1.1.0-3.el4_6.1.src.rpm -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.centos.org/pipermail/centos-announce/attachments/20080515/0eaba780/signature-0001.bin ------------------------------ Message: 2 Date: Thu, 15 May 2008 09:11:13 -0500 From: Johnny Hughes <johnny at centos.org> Subject: [CentOS-announce] CESA-2008:0270 Important CentOS 4 i386 libvorbis Update To: CentOS-Announce <centos-announce at centos.org> Message-ID: <482C4481.8010103 at centos.org> Content-Type: text/plain; charset="iso-8859-1" CentOS Errata and Security Advisory 2008:0270 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0270.html The following updated files have been uploaded and are currently syncing to the mirrors: i386: libvorbis-1.1.0-3.el4_6.1.i386.rpm libvorbis-devel-1.1.0-3.el4_6.1.i386.rpm src: libvorbis-1.1.0-3.el4_6.1.src.rpm -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.centos.org/pipermail/centos-announce/attachments/20080515/b7abcdb5/signature-0001.bin ------------------------------ Message: 3 Date: Thu, 15 May 2008 20:08:39 +0200 From: "Daniel de Kok" <daniel at centos.org> Subject: [CentOS-announce] Impact of the Debian OpenSSL vulnerability To: centos-announce at centos.org Message-ID: <30f19d040805151108k1d2c62b0r2ecdccce3d425ab2 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 A severe vulnerability was found in the random number generator (RNG) of the Debian OpenSSL package, starting with version 0.9.8c-1 (and similar packages in derived distributions such as Ubuntu). While this bug is not present in the OpenSSL packages provided by CentOS, it may still affect CentOS users. The bug barred the OpenSSL random number generator from gaining enough entropy required for generating unpredicatable keys. In fact it appearss that the only source for entropy was the process ID of the process generating a key, which is chosen from a very small range and is predictable. As such, all keys generated using the Debian OpenSSL library should be considered compromized. Programs that use OpenSSL include OpenSSH and OpenVPN. Note that GnuPG and GNU TLS do not use OpenSSL, so they are not affected. This vulnerability can affect CentOS machines through the use of keys that were generated with the OpenSSL package from Debian. For instance, if a user uses OpenSSH public key authentication to log on to a CentOS server, and this user generated the key pair with a vulnerable OpenSSL library, the server is at heavy risk because the key can be reproduced easily. Additionally, all (good) DSA keys that were ever used on a vulnerable Debian machine for signing or authentication should also be considered compromized due to a known attack on DSA keys. As a result of this bug, everyone should audit *every* key or cerficicate that was generated with OpenSSL, to trace its origin and make sure that it was not generated with a vulnerable Debian OpenSSL package. Or in the case of DSA keys care should be taken that they were not generated or used on a system with a vulnerable OpenSSL package. Keys that are potentially compromised should be replaced with strong keys. The Debian Wiki[2] has a preliminary list of affected application. A tool to detect potentially weak keys is also provided, but it contains an incomplete list of affected keys and can give false positives. The Metasploit project provides a full list of weak keys in various configurations[3]. Questions on how this may affect CentOS users should be directed to the CentOS users list. List subscription information is available from: http://lists.centos.org/mailman/listinfo/centos With kind regards, The CentOS Team [1] http://www.debian.org/security/2008/dsa-1571 [2] http://wiki.debian.org/SSLkeys [3] http://metasploit.com/users/hdm/tools/debian-openssl/ ------------------------------ Message: 4 Date: Fri, 16 May 2008 02:20:09 +0100 From: Karanbir Singh <kbsingh at centos.org> Subject: [CentOS-announce] CESA-2008:0194 Important CentOS 5 x86_64 xen Update To: centos-announce at centos.org Message-ID: <20080516012009.GA1449 at base.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2008:0194 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0194.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) x86_64: c7f5f0b8fc0ded6a071c537ab490edff xen-3.0.3-41.el5_1.5.x86_64.rpm af6fb05cfebd799f9071cc3e83f561c1 xen-devel-3.0.3-41.el5_1.5.i386.rpm 3b697c6fdc46dbd2e939da6a334c9220 xen-devel-3.0.3-41.el5_1.5.x86_64.rpm bc77d399eb72833ed5ca4dcfffe599e0 xen-libs-3.0.3-41.el5_1.5.i386.rpm 9662e7449f8a764cc022f6110a8def5a xen-libs-3.0.3-41.el5_1.5.x86_64.rpm Source: 32a42dbc51a00c12719ae6c5405439b1 xen-3.0.3-41.el5_1.5.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net ------------------------------ Message: 5 Date: Fri, 16 May 2008 02:20:08 +0100 From: Karanbir Singh <kbsingh at centos.org> Subject: [CentOS-announce] CESA-2008:0194 Important CentOS 5 i386 xen Update To: centos-announce at centos.org Message-ID: <20080516012008.GA1435 at base.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Security Advisory 2008:0194 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2008-0194.html The following updated files have been uploaded and are currently syncing to the mirrors: ( md5sum Filename ) i386: 895491c081517cb49e65fdcc73b11291 xen-3.0.3-41.el5_1.5.i386.rpm fca59354c0adf82110f6b647681aea80 xen-devel-3.0.3-41.el5_1.5.i386.rpm 574f651c259c429ceddc4b8ef2d8eb95 xen-libs-3.0.3-41.el5_1.5.i386.rpm Source: 32a42dbc51a00c12719ae6c5405439b1 xen-3.0.3-41.el5_1.5.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos at irc.freenode.net ------------------------------ Message: 6 Date: Fri, 16 May 2008 13:59:20 +1000 From: John Newbigin <jnewbigin at ict.swin.edu.au> Subject: [CentOS-announce] CESA-2008:0271-01: Important CentOS 2 i386 libvorbis security update To: centos-announce at centos.org Message-ID: <482D0698.9010402 at ict.swin.edu.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed The following errata for CentOS-2 have been built and uploaded to the centos mirror: RHSA-2008:0271-01 Important: libvorbis security update Files available: libvorbis-1.0rc2-9.el2.i386.rpm libvorbis-devel-1.0rc2-9.el2.i386.rpm More details are available from the RedHat web site at https://rhn.redhat.com/errata/rh21as-errata.html The easy way to make sure you are up to date with all the latest patches is to run: # yum update -- John Newbigin ITS Senior Analyst / Programmer Faculty of Information and Communication Technologies Swinburne University of Technology Melbourne, Australia http://www.ict.swin.edu.au/staff/jnewbigin ------------------------------ _______________________________________________ CentOS-announce mailing list CentOS-announce at centos.org http://lists.centos.org/mailman/listinfo/centos-announce End of CentOS-announce Digest, Vol 39, Issue 7 **********************************************