Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] openssl (SSA:2017-306-02)
Date: Thu, 2 Nov 2017 23:24:38 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  openssl (SSA:2017-306-02)

New openssl packages are available for Slackware 14.2 and -current to
fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/openssl-1.0.2m-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue:
  There is a carry propagating bug in the x64 Montgomery squaring procedure.
  No EC algorithms are affected. Analysis suggests that attacks against RSA
  and DSA as a result of this defect would be very difficult to perform and
  are not believed likely. Attacks against DH are considered just feasible
  (although very difficult) because most of the work necessary to deduce
  information about a private key may be performed offline. The amount of
  resources required for such an attack would be very significant and likely
  only accessible to a limited number of attackers. An attacker would
  additionally need online access to an unpatched system using the target
  private key in a scenario with persistent DH parameters and a private
  key that is shared between multiple clients.
  This only affects processors that support the BMI1, BMI2 and ADX extensions
  like Intel Broadwell (5th generation) and later or AMD Ryzen.
  For more information, see:
    https://www.openssl.org/news/secadv/20171102.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3736
  (* Security fix *)
patches/packages/openssl-solibs-1.0.2m-i586-1_slack14.2.txz:  Upgraded.
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2m-i586-1_slack14.2.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2m-i586-1_slack14.2.txz

Updated packages for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2m-x86_64-1_slack14.2.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz

Updated packages for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.2l-i586-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.2m-i586-1.txz

Updated packages for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.2l-x86_64-1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.2m-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 14.2 packages:
53cf0ad803cc25e2a1743c423ecef363  openssl-1.0.2m-i586-1_slack14.2.txz
aec151a19c32844355f8a13089f82154  openssl-solibs-1.0.2m-i586-1_slack14.2.txz

Slackware x86_64 14.2 packages:
8beeb92a178b9b8e135c6b1018003c22  openssl-1.0.2m-x86_64-1_slack14.2.txz
b912777079f28301936a77790d00a7ae  openssl-solibs-1.0.2m-x86_64-1_slack14.2.txz

Slackware -current packages:
647adb0751e6cd6e988ca81cf595cc0e  a/openssl-solibs-1.0.2l-i586-1.txz
c76711fb8f8ce77b5cdf6e5904dfd4a1  n/openssl-1.0.2m-i586-1.txz

Slackware x86_64 -current packages:
47323660a6504018ee6b4490c268060b  a/openssl-solibs-1.0.2l-x86_64-1.txz
fa9ed59b81567d356bd59c953fbabc1e  n/openssl-1.0.2m-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg openssl-1.0.2m-i586-1_slack14.2.txz openssl-solibs-1.0.2m-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAln75HMACgkQakRjwEAQIjMexACfQ2MkqUoe2txkDBNKrEO5Et9X
BIQAnA8kCWt9nidv3B+xcAdTjdP5U1c2
=evZc
-----END PGP SIGNATURE-----

Slackware® is a registered trademark of Slackware Linux, Inc. All logos and graphics are copyrighted.