Important: Openssl Security Update [CVE-2008-5077]

by on January 8, 2009 · 2 comments· LAST UPDATED January 8, 2009

in , ,

Linux / BSD and UNIX like operating systems includes software from the OpenSSL Project. The OpenSSL is commercial-grade, industry-strength, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general purpose cryptography library.

The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a "man in the middle" attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.

This update has been rated as having important security impact on FreeBSD, all version of Ubuntu / Debian, Red Hat (RHEL), CentOS, Fedora and other open source operating system that depends upon OpenSSL.

More about security issue

The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.

Other applications which use the OpenSSL EVP API may similarly be affected.

How do I fix this security issue?

If you are using CentOS / RHEL / Fedora Linux, enter:
# yum update
If you are using Debian / Ubuntu Linux , enter:
# apt-get update && apt-get upgrade
If you are using FreeBSD 32 bit, enter:
[FreeBSD 7.x]
# cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc
# cd /usr/src
# patch < /tmp/openssl.patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install

[FreeBSD 6.x]
# cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc
# cd /usr/src
# patch < /tmp/openssl6.patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install

On the FreeBSD 64 bit (amd64) platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in this guide.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 2 comments… read them below or add one }

1 Trey Blancher January 9, 2009 at 7:33 pm

This article doesn’t specify affected and fixed versions, so I can’t verify if I’ve gotten the update or not. Not a very good article in my opinion.

Reply

2 nixCraft January 9, 2009 at 8:53 pm

0.8.9b (RHEL/CentOS) or 0.8.9h and below are affected. Next, time I will add affected version number too.

Thanks for your comment.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: