[38734] in bugtraq
[USN-113-1] libnet-ssleay-perl vulnerability
daemon@ATHENA.MIT.EDU (Martin Pitt)
Thu May 5 16:33:04 2005
Date: Tue, 3 May 2005 13:25:24 +0200
From: Martin Pitt <martin.pitt@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20050503112523.GA2929@box79162.elkhouse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-113-1 May 03, 2005
libnet-ssleay-perl vulnerability
CAN-2005-0106
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
A security issue affects the following Ubuntu releases:
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libnet-ssleay-perl
The problem can be corrected by upgrading the affected package to version
1.25-1ubuntu0.2. In general, a standard system upgrade is sufficient to ef=
fect
the necessary changes.
Details follow:
Javier Fernandez-Sanguino Pena discovered that this library used the
file /tmp/entropy as a fallback entropy source if a proper source was
not set in the environment variable EGD_PATH. This can potentially
lead to weakened cryptographic operations if an attacker provides a
/tmp/entropy file with known content.
The updated package requires the specification of an entropy source
with EGD_PATH and also requires that the source is a socket (as
opposed to a normal file).
Please note that this only affects systems which have egd installed
=66rom third party sources; egd is not shipped with Ubuntu.
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25-1ubuntu0.2.dsc
Size/MD5: 668 90dfb26e445d7eeb68ee39c69148c649
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25-1ubuntu0.2.diff.gz
Size/MD5: 5901 b148bdb144acea8eff268f766b6cb6c0
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25.orig.tar.gz
Size/MD5: 76627 d32f3fa38b1c49a2a98e75577d5dc10b
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25-1ubuntu0.2_i386.deb
Size/MD5: 177492 2a5250e82cd4dac83a061d0e6de68423
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25-1ubuntu0.2_powerpc.deb
Size/MD5: 182298 d7d20090fb0b24a620f79e50d39ff0a4
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/libn/libnet-ssleay-perl/lib=
net-ssleay-perl_1.25-1ubuntu0.2_amd64.deb
Size/MD5: 179592 931ccca9ba5fe8bd0a89152f7b6b6cef
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCd1+jDecnbV4Fd/IRAiTnAKDgI0tVIz6qq5BhF6keB4y53kvgJwCfSXO/
5yeBvz3FtoElT4t/cP7cWQI=
=tgrG
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
