Important: Openssl Security Update [CVE-2008-5077]

Linux / BSD and UNIX like operating systems includes software from the OpenSSL Project. The OpenSSL is commercial-grade, industry-strength, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general purpose cryptography library.

The Google security team discovered a flaw in the way OpenSSL checked the verification of certificates. An attacker in control of a malicious server, or able to effect a “man in the middle” attack, could present a malformed SSL/TLS signature from a certificate chain to a vulnerable client and bypass validation.

This update has been rated as having important security impact on FreeBSD, all version of Ubuntu / Debian, Red Hat (RHEL), CentOS, Fedora and other open source operating system that depends upon OpenSSL.

More about security issue

The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys.

Other applications which use the OpenSSL EVP API may similarly be affected.

How do I fix this security issue?

If you are using CentOS / RHEL / Fedora Linux, enter:
# yum update
If you are using Debian / Ubuntu Linux , enter:
# apt-get update && apt-get upgrade
If you are using FreeBSD 32 bit, enter:
[FreeBSD 7.x] # cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc
# cd /usr/src
# patch < /tmp/openssl.patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install

[FreeBSD 6.x] # cd /tmp
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc
# cd /usr/src
# patch < /tmp/openssl6.patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install

On the FreeBSD 64 bit (amd64) platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in this guide.

🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source & DevOps topics via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • 🐧 nixCraft Jan 9, 2009 @ 20:53

    0.8.9b (RHEL/CentOS) or 0.8.9h and below are affected. Next, time I will add affected version number too.

    Thanks for your comment.

  • Trey Blancher Jan 9, 2009 @ 19:33

    This article doesn’t specify affected and fixed versions, so I can’t verify if I’ve gotten the update or not. Not a very good article in my opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.