LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: OpenVPN regression Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS and multi-client/server which caused OpenVPN to not start when using valid SSL certificates.
=========================================================== 
Ubuntu Security Notice USN-612-6               May 14, 2008
openvpn regression
https://launchpad.net/bugs/230193
https://launchpad.net/bugs/230208
http://www.ubuntu.com/usn/usn-612-3
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  openssl-blacklist               0.1-0ubuntu0.7.04.2
  openvpn                         2.0.9-5ubuntu0.2

Ubuntu 7.10:
  openssl-blacklist               0.1-0ubuntu0.7.10.2
  openvpn                         2.0.9-8ubuntu0.2

Ubuntu 8.04 LTS:
  openssl-blacklist               0.1-0ubuntu0.8.04.2
  openvpn                         2.1~rc7-1ubuntu3.2

After a standard system upgrade you need to restart openvpn to effect
the necessary changes.

Details follow:

USN-612-3 addressed a weakness in OpenSSL certificate and keys
generation in OpenVPN by adding checks for vulnerable certificates
and keys to OpenVPN. A regression was introduced in OpenVPN when
using TLS and multi-client/server which caused OpenVPN to not start 
when using valid SSL certificates.

It was also found that openssl-vulnkey from openssl-blacklist
would fail when stderr was not available. This caused OpenVPN to
fail to start when used with applications such as NetworkManager.

This update fixes these problems. We apologize for the
inconvenience.

Original advisory details:

 A weakness has been discovered in the random number generator used
 by OpenSSL on Debian and Ubuntu systems.  As a result of this
 weakness, certain encryption keys are much more common than they
 should be, such that an attacker could guess the key through a
 brute-force attack given minimal knowledge of the system.  This
 particularly affects the use of encryption keys in OpenSSH, OpenVPN
 and SSL certificates.


Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2.dsc
      Size/MD5:      548 6fbd0fe22ee9e03f7953beab58f769c2
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2.tar.gz
      Size/MD5:  7778456 eee4434860560905a3af66468100a348
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2.diff.gz
      Size/MD5:    61701 d39b369ff928f451c70bf0779e75f405
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2.dsc
      Size/MD5:      641 262ef73ef3557dc4959889b46848138e
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz
      Size/MD5:   669076 60745008b90b7dbe25fe8337c550fec6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2_all.deb
      Size/MD5:  3535226 ad5b8c02f9edf0c7701867fcace63d99

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_amd64.deb
      Size/MD5:   356590 f64d86a6b713cd8326a905e857c3d828

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_i386.deb
      Size/MD5:   337570 f6898a1af5591c8f8ca93bf3241c7553

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_powerpc.deb
      Size/MD5:   358182 501e0707d6190c33fb0570f5ca1b3541

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_sparc.deb
      Size/MD5:   336370 d18a832bf8564796069c8e66e8c6fb5a

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2.dsc
      Size/MD5:      548 8abff8f249ed0e1a0e944716a7bc917b
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2.tar.gz
      Size/MD5:  7778457 79b3c02e1d9c759172e8bd696a3d392c
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2.diff.gz
      Size/MD5:    65145 40ac90ce5aca10e2be6410eef3bc7d45
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2.dsc
      Size/MD5:      642 350b124caa02ab5015a7faae3d5d11d6
    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz
      Size/MD5:   669076 60745008b90b7dbe25fe8337c550fec6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2_all.deb
      Size/MD5:  3535452 16cee119a4c57d8d6644e638273c831d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_amd64.deb
      Size/MD5:   362166 087beb48ed1ec72f4aac38d425e404af

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_i386.deb
      Size/MD5:   341986 c2d7d6f13b7b8f94c4687d7dcd0e5940

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_lpia.deb
      Size/MD5:   343546 bc15cd4c335ef8a007f85cff8e1e308f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_powerpc.deb
      Size/MD5:   363492 75ca3479943634cff266abdb10d9635d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_sparc.deb
      Size/MD5:   341774 ae2df701be65b3cf2cbae44ae3f47fbc

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2.dsc
      Size/MD5:      548 a4ba4a5fefb358127a9887ead15899fb
    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz
      Size/MD5:  7778452 ed6ed6c9d44d498da27c467112da51dc
    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2.diff.gz
      Size/MD5:    36383 df12dec18746624b44785c17444ac461
    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2.dsc
      Size/MD5:      646 1e4f69e842af1e8dfedba7df39e500ef
    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7.orig.tar.gz
      Size/MD5:   786288 dac8b5104b5eb105ba82b2525d371d58

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb
      Size/MD5:  3534948 258d2779ea1fb5fe8dd67eb9f920ed06

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_amd64.deb
      Size/MD5:   391056 7756bf70867fc0a28f448b94af4bcdf3

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_i386.deb
      Size/MD5:   372454 f9c5766c86e6f20dab634ccf48a890a0

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_lpia.deb
      Size/MD5:   371466 14e8bc2c2adc623e65b2e862b4d56ab2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_powerpc.deb
      Size/MD5:   391702 92b67d4672dd43d46ee52da557289760

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_sparc.deb
      Size/MD5:   369260 ae821d7f2f582c459e1796d7fa587da1



--z4+8/lEcDcG5Ke9S
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIK0mJW0JvuRdL8BoRAjvzAKCBQZ1z90hZTXYar64nyV8Yo0ZXFgCgl05E
8eDK7ZTIrpYU3AyT+OGABWg=P1LD
-----END PGP SIGNATURE-----

--z4+8/lEcDcG5Ke9S--


--==============`71917332692974240=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--==============`71917332692974240==--
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Google Releases Open Source Tool for Testing Web App Security Scanners
Most Targeted Attacks Exploit Privileged Accounts
NotCompable sets new standards for mobile botnet sophistication
Hands on with Caine Linux: Pentesting and UEFI compatible
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.