From martin.pitt@canonical.com Tue May 3 07:33:46 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Tue, 3 May 2005 13:25:24 +0200 Subject: [Full-disclosure] [USN-113-1] libnet-ssleay-perl vulnerability =========================================================== Ubuntu Security Notice USN-113-1 May 03, 2005 libnet-ssleay-perl vulnerability CAN-2005-0106 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libnet-ssleay-perl The problem can be corrected by upgrading the affected package to version 1.25-1ubuntu0.2. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content. The updated package requires the specification of an entropy source with EGD_PATH and also requires that the source is a socket (as opposed to a normal file). Please note that this only affects systems which have egd installed from third party sources; egd is not shipped with Ubuntu. Source archives: http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.dsc Size/MD5: 668 90dfb26e445d7eeb68ee39c69148c649 http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2.diff.gz Size/MD5: 5901 b148bdb144acea8eff268f766b6cb6c0 http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25.orig.tar.gz Size/MD5: 76627 d32f3fa38b1c49a2a98e75577d5dc10b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_i386.deb Size/MD5: 177492 2a5250e82cd4dac83a061d0e6de68423 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb Size/MD5: 182298 d7d20090fb0b24a620f79e50d39ff0a4 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/libnet-ssleay-perl_1.25-1ubuntu0.2_amd64.deb Size/MD5: 179592 931ccca9ba5fe8bd0a89152f7b6b6cef [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/