full-disclosure-uk May 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [USN-612-6] OpenVPN regres

[Full-disclosure] [USN-612-6] OpenVPN regression

From: Jamie Strandboge <jamie_at_nospam>
Date: Wed May 14 2008 - 20:20:25 GMT
To: ubuntu-security-announce@lists.ubuntu.com



Ubuntu Security Notice USN-612-6 May 14, 2008 openvpn regression https://launchpad.net/bugs/230193 https://launchpad.net/bugs/230208 http://www.ubuntu.com/usn/usn-612-3 ===========================================================

A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 7.04: openssl-blacklist 0.1-0ubuntu0.7.04.2 openvpn 2.0.9-5ubuntu0.2 Ubuntu 7.10: openssl-blacklist 0.1-0ubuntu0.7.10.2 openvpn 2.0.9-8ubuntu0.2 Ubuntu 8.04 LTS: openssl-blacklist 0.1-0ubuntu0.8.04.2 openvpn 2.1~rc7-1ubuntu3.2

After a standard system upgrade you need to restart openvpn to effect the necessary changes.

Details follow:

USN-612-3 addressed a weakness in OpenSSL certificate and keys generation in OpenVPN by adding checks for vulnerable certificates and keys to OpenVPN. A regression was introduced in OpenVPN when using TLS and multi-client/server which caused OpenVPN to not start when using valid SSL certificates.

It was also found that openssl-vulnkey from openssl-blacklist would fail when stderr was not available. This caused OpenVPN to fail to start when used with applications such as NetworkManager.

This update fixes these problems. We apologize for the inconvenience.

Original advisory details:

 A weakness has been discovered in the random number generator used  by OpenSSL on Debian and Ubuntu systems. As a result of this  weakness, certain encryption keys are much more common than they  should be, such that an attacker could guess the key through a  brute-force attack given minimal knowledge of the system. This  particularly affects the use of encryption keys in OpenSSH, OpenVPN  and SSL certificates.

Updated packages for Ubuntu 7.04:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2.dsc Size/MD5: 548 6fbd0fe22ee9e03f7953beab58f769c2 http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2.tar.gz Size/MD5: 7778456 eee4434860560905a3af66468100a348 http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2.diff.gz Size/MD5: 61701 d39b369ff928f451c70bf0779e75f405 http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2.dsc Size/MD5: 641 262ef73ef3557dc4959889b46848138e http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz Size/MD5: 669076 60745008b90b7dbe25fe8337c550fec6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.04.2_all.deb       Size/MD5: 3535226 ad5b8c02f9edf0c7701867fcace63d99

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_amd64.deb       Size/MD5: 356590 f64d86a6b713cd8326a905e857c3d828

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_i386.deb       Size/MD5: 337570 f6898a1af5591c8f8ca93bf3241c7553

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_powerpc.deb       Size/MD5: 358182 501e0707d6190c33fb0570f5ca1b3541

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-5ubuntu0.2_sparc.deb       Size/MD5: 336370 d18a832bf8564796069c8e66e8c6fb5a

Updated packages for Ubuntu 7.10:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2.dsc Size/MD5: 548 8abff8f249ed0e1a0e944716a7bc917b http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2.tar.gz Size/MD5: 7778457 79b3c02e1d9c759172e8bd696a3d392c http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2.diff.gz Size/MD5: 65145 40ac90ce5aca10e2be6410eef3bc7d45 http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2.dsc Size/MD5: 642 350b124caa02ab5015a7faae3d5d11d6 http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9.orig.tar.gz Size/MD5: 669076 60745008b90b7dbe25fe8337c550fec6

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.7.10.2_all.deb       Size/MD5: 3535452 16cee119a4c57d8d6644e638273c831d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_amd64.deb       Size/MD5: 362166 087beb48ed1ec72f4aac38d425e404af

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_i386.deb       Size/MD5: 341986 c2d7d6f13b7b8f94c4687d7dcd0e5940

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_lpia.deb       Size/MD5: 343546 bc15cd4c335ef8a007f85cff8e1e308f

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_powerpc.deb       Size/MD5: 363492 75ca3479943634cff266abdb10d9635d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/universe/o/openvpn/openvpn_2.0.9-8ubuntu0.2_sparc.deb       Size/MD5: 341774 ae2df701be65b3cf2cbae44ae3f47fbc

Updated packages for Ubuntu 8.04 LTS:

  Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2.dsc Size/MD5: 548 a4ba4a5fefb358127a9887ead15899fb http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2.tar.gz Size/MD5: 7778452 ed6ed6c9d44d498da27c467112da51dc http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2.diff.gz Size/MD5: 36383 df12dec18746624b44785c17444ac461 http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2.dsc Size/MD5: 646 1e4f69e842af1e8dfedba7df39e500ef http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7.orig.tar.gz Size/MD5: 786288 dac8b5104b5eb105ba82b2525d371d58

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/o/openssl-blacklist/openssl-blacklist_0.1-0ubuntu0.8.04.2_all.deb       Size/MD5: 3534948 258d2779ea1fb5fe8dd67eb9f920ed06

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_amd64.deb       Size/MD5: 391056 7756bf70867fc0a28f448b94af4bcdf3

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_i386.deb       Size/MD5: 372454 f9c5766c86e6f20dab634ccf48a890a0

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_lpia.deb       Size/MD5: 371466 14e8bc2c2adc623e65b2e862b4d56ab2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_powerpc.deb       Size/MD5: 391702 92b67d4672dd43d46ee52da557289760

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/o/openvpn/openvpn_2.1~rc7-1ubuntu3.2_sparc.deb       Size/MD5: 369260 ae821d7f2f582c459e1796d7fa587da1



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/