Martin Pitt
May 3rd, 2005, 12:55 PM
================================================== =========
Ubuntu Security Notice USN-113-1 May 03, 2005
libnet-ssleay-perl vulnerability
CAN-2005-0106
================================================== =========
A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libnet-ssleay-perl
The problem can be corrected by upgrading the affected package to version
1.25-1ubuntu0.2. In general, a standard system upgrade is sufficient to effect
the necessary changes.
Details follow:
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
The updated package requires the specification of an entropy source
with EGD_PATH and also requires that the source is a socket (as
opposed to a normal file).
Please note that this only affects systems which have egd installed
from third party sources; egd is not shipped with Ubuntu.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.dsc
Size/MD5: 668 90dfb26e445d7eeb68ee39c69148c649
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.diff.gz
Size/MD5: 5901 b148bdb144acea8eff268f766b6cb6c0
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25.orig.tar.gz
Size/MD5: 76627 d32f3fa38b1c49a2a98e75577d5dc10b
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_i386.deb
Size/MD5: 177492 2a5250e82cd4dac83a061d0e6de68423
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb
Size/MD5: 182298 d7d20090fb0b24a620f79e50d39ff0a4
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_amd64.deb
Size/MD5: 179592 931ccca9ba5fe8bd0a89152f7b6b6cef
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCd1+jDecnbV4Fd/IRAiTnAKDgI0tVIz6qq5BhF6keB4y53kvgJwCfSXO/
5yeBvz3FtoElT4t/cP7cWQI=
=tgrG
-----END PGP SIGNATURE-----
Ubuntu Security Notice USN-113-1 May 03, 2005
libnet-ssleay-perl vulnerability
CAN-2005-0106
================================================== =========
A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libnet-ssleay-perl
The problem can be corrected by upgrading the affected package to version
1.25-1ubuntu0.2. In general, a standard system upgrade is sufficient to effect
the necessary changes.
Details follow:
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
The updated package requires the specification of an entropy source
with EGD_PATH and also requires that the source is a socket (as
opposed to a normal file).
Please note that this only affects systems which have egd installed
from third party sources; egd is not shipped with Ubuntu.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.dsc
Size/MD5: 668 90dfb26e445d7eeb68ee39c69148c649
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.diff.gz
Size/MD5: 5901 b148bdb144acea8eff268f766b6cb6c0
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25.orig.tar.gz
Size/MD5: 76627 d32f3fa38b1c49a2a98e75577d5dc10b
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_i386.deb
Size/MD5: 177492 2a5250e82cd4dac83a061d0e6de68423
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb
Size/MD5: 182298 d7d20090fb0b24a620f79e50d39ff0a4
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_amd64.deb
Size/MD5: 179592 931ccca9ba5fe8bd0a89152f7b6b6cef
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCd1+jDecnbV4Fd/IRAiTnAKDgI0tVIz6qq5BhF6keB4y53kvgJwCfSXO/
5yeBvz3FtoElT4t/cP7cWQI=
=tgrG
-----END PGP SIGNATURE-----