OpenSSL, MD5, CA security flaws, oh my
Stephen
cryptworks at gmail.com
Fri Jan 9 08:08:45 MST 2009
Mu ubuntu machines have been patching almost daily as these have been
rolling out...
wich is nice, but i have been having to stay on top of them.
On Thu, Jan 8, 2009 at 5:37 PM, Lisa Kachold <lisakachold at obnosis.com> wrote:
> January 8Microsoft Releases Advance Notification for January Security
> Bulletin
> January 8Cisco Releases Security Advisory for Global Site Selector
> January 8OpenSSL Releases Security Advisory
> December 31Rogue MD5 SSL Certificate Vulnerability
> December 31Worm Exploiting Vulnerability described in MS08-067
> December 31 Malware Spreading via Malicious Ecards
> December 31Mozilla Releases Thunderbird 2.0.0.19
> December 23Trend Micro Releases Updates for HouseCall
> December 23Microsoft Releases Security Advisory (961040)
> December 17Microsoft Releases Security Bulletin MS08-078
>
> The full dirty list for the week from CERT!
>
> I imagine most web providers, even those meeting PCI compliance and HIPPA
> standards are way behind on OpenSSL and Apache updates?
>
> www.Obnosis.com | http://wiki.obnosis.com | http://hackfest.obnosis.com
> (503)754-4452
> ________________________________
> January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security
> Forensics @ UAT 1/10/09 12-3PM
>
>
>> Date: Wed, 7 Jan 2009 16:19:17 -0700
>> From: PLUGd at LuftHans.com
>> To: PLUG-discuss at lists.PLUG.phoenix.az.us
>> Subject: OpenSSL, MD5, CA security flaws, oh my
>>
>> moin moin,
>>
>> Lisa has probably posted the second issue, but I'm a bit behind on the
>> list. The first one appears to be from today and I don't see anything from
>> her today.
>>
>> http://openssl.org/news/secadv_20090107.txt
>>
>> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
>> safe, except...
>>
>> http://www.win.tue.nl/hashclash/rogue-ca/
>>
>> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
>> accepted :(.
>>
>> I think the 'Outline of the attack' section indicates that the original CA
>> certificate is needed, so CAs moving away from MD5 can avoid the problem.
>>
>> ciao,
>>
>> der.hans
>> --
>> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
>> # Strangers are friends just waiting to happen!
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________
> Windows Live™: Keep your life in sync. See how it works.
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.
Stephen
More information about the PLUG-discuss
mailing list