OpenSSL, MD5, CA security flaws, oh my
Lisa Kachold
lisakachold at obnosis.com
Thu Jan 8 17:37:50 MST 2009
January 8Microsoft Releases Advance Notification for January Security Bulletin
January 8Cisco Releases Security Advisory for Global Site Selector
January 8OpenSSL Releases Security Advisory
December 31Rogue MD5 SSL Certificate Vulnerability
December 31Worm Exploiting Vulnerability described in MS08-067
December 31 Malware Spreading via Malicious Ecards
December 31Mozilla Releases Thunderbird 2.0.0.19
December 23Trend Micro Releases Updates for HouseCall
December 23Microsoft Releases Security Advisory (961040)
December 17Microsoft Releases Security Bulletin MS08-078
The full dirty list for the week from CERT!
I imagine most web providers, even those meeting PCI compliance and HIPPA standards are way behind on OpenSSL and Apache updates?
www.Obnosis.com | http://wiki.obnosis.com | http://hackfest.obnosis.com (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
> Date: Wed, 7 Jan 2009 16:19:17 -0700
> From: PLUGd at LuftHans.com
> To: PLUG-discuss at lists.PLUG.phoenix.az.us
> Subject: OpenSSL, MD5, CA security flaws, oh my
>
> moin moin,
>
> Lisa has probably posted the second issue, but I'm a bit behind on the
> list. The first one appears to be from today and I don't see anything from
> her today.
>
> http://openssl.org/news/secadv_20090107.txt
>
> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
> safe, except...
>
> http://www.win.tue.nl/hashclash/rogue-ca/
>
> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
> accepted :(.
>
> I think the 'Outline of the attack' section indicates that the original CA
> certificate is needed, so CAs moving away from MD5 can avoid the problem.
>
> ciao,
>
> der.hans
> --
> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
> # Strangers are friends just waiting to happen!
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t1_allup_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090109/096026e4/attachment.htm
More information about the PLUG-discuss
mailing list