|
|
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] openssl (SSA:2017-306-02)
Date: Thu, 2 Nov 2017 23:24:38 -0700 (PDT) |
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] openssl (SSA:2017-306-02)
New openssl packages are available for Slackware 14.2 and -current to
fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.2m-i586-1_slack14.2.txz: Upgraded.
This update fixes a security issue:
There is a carry propagating bug in the x64 Montgomery squaring procedure.
No EC algorithms are affected. Analysis suggests that attacks against RSA
and DSA as a result of this defect would be very difficult to perform and
are not believed likely. Attacks against DH are considered just feasible
(although very difficult) because most of the work necessary to deduce
information about a private key may be performed offline. The amount of
resources required for such an attack would be very significant and likely
only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.
For more information, see:
https://www.openssl.org/news/secadv/20171102.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736
(* Security fix *)
patches/packages/openssl-solibs-1.0.2m-i586-1_slack14.2.txz: Upgraded.
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated packages for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2m-i586-1_slack14.2.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2m-i586-1_slack14.2.txz
Updated packages for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2m-x86_64-1_slack14.2.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz
Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.2l-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.2m-i586-1.txz
Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.2l-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.2m-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 14.2 packages:
53cf0ad803cc25e2a1743c423ecef363 openssl-1.0.2m-i586-1_slack14.2.txz
aec151a19c32844355f8a13089f82154 openssl-solibs-1.0.2m-i586-1_slack14.2.txz
Slackware x86_64 14.2 packages:
8beeb92a178b9b8e135c6b1018003c22 openssl-1.0.2m-x86_64-1_slack14.2.txz
b912777079f28301936a77790d00a7ae openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz
Slackware -current packages:
647adb0751e6cd6e988ca81cf595cc0e a/openssl-solibs-1.0.2l-i586-1.txz
c76711fb8f8ce77b5cdf6e5904dfd4a1 n/openssl-1.0.2m-i586-1.txz
Slackware x86_64 -current packages:
47323660a6504018ee6b4490c268060b a/openssl-solibs-1.0.2l-x86_64-1.txz
fa9ed59b81567d356bd59c953fbabc1e n/openssl-1.0.2m-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the packages as root:
# upgradepkg openssl-1.0.2m-i586-1_slack14.2.txz openssl-solibs-1.0.2m-i586-1_slack14.2.txz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
iEYEARECAAYFAln75HMACgkQakRjwEAQIjMexACfQ2MkqUoe2txkDBNKrEO5Et9X
BIQAnA8kCWt9nidv3B+xcAdTjdP5U1c2
=evZc
-----END PGP SIGNATURE-----
|
| |