[SECURITY] [DSA 2309-1] openssl security update

Type securityvulns
Reporter Securityvulns
Modified 2011-09-16T00:00:00



Debian Security Advisory DSA-2309-1 security@debian.org http://www.debian.org/security/ Raphael Geissert September 13, 2011 http://www.debian.org/security/faq

Package : openssl Vulnerability : compromised certificate authority Problem type : remote Debian-specific: no CVE ID : CVE-2011-1945

Several fraudulent SSL certificates have been found in the wild issued by the DigiNotar Certificate Authority, obtained through a security compromise of said company. After further updates on this incident, it has been determined that all of DigiNotar's signing certificates can no longer be trusted. Debian, like other software distributors and vendors, has decided to distrust all of DigiNotar's CAs. In this update, this is done in the crypto library (a component of the OpenSSL toolkit) by marking such certificates as revoked. Any application that uses said component should now reject certificates signed by DigiNotar. Individual applications may allow users to overrride the validation failure. However, making exceptions is highly discouraged and should be carefully verified.

Additionally, a vulnerability has been found in the ECDHE_ECDS cipher where timing attacks make it easier to determine private keys. The Common Vulnerabilities and Exposures project identifies it as CVE-2011-1945.

For the oldstable distribution (lenny), these problems have been fixed in version 0.9.8g-15+lenny12.

For the stable distribution (squeeze), these problems have been fixed in version 0.9.8o-4squeeze2.

For the testing distribution (wheezy), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in version 1.0.0e-1.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5v4GEACgkQYy49rUbZzlpiVgCgn601VsUS5b/sYtPdMSMuIXUN l14AoIxRvh296WlbZkywtbxYJ43820yz =Tcyw -----END PGP SIGNATURE-----