Re: OpenSSL, MD5, CA security flaws, oh my

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen
Date:  
To: Main PLUG discussion list
Subject: Re: OpenSSL, MD5, CA security flaws, oh my
Mu ubuntu machines have been patching almost daily as these have been
rolling out...

wich is nice, but i have been having to stay on top of them.

On Thu, Jan 8, 2009 at 5:37 PM, Lisa Kachold <> wrote:
> January 8Microsoft Releases Advance Notification for January Security
> Bulletin
> January 8Cisco Releases Security Advisory for Global Site Selector
> January 8OpenSSL Releases Security Advisory
> December 31Rogue MD5 SSL Certificate Vulnerability
> December 31Worm Exploiting Vulnerability described in MS08-067
> December 31 Malware Spreading via Malicious Ecards
> December 31Mozilla Releases Thunderbird 2.0.0.19
> December 23Trend Micro Releases Updates for HouseCall
> December 23Microsoft Releases Security Advisory (961040)
> December 17Microsoft Releases Security Bulletin MS08-078
>
> The full dirty list for the week from CERT!
>
> I imagine most web providers, even those meeting PCI compliance and HIPPA
> standards are way behind on OpenSSL and Apache updates?
>
> www.Obnosis.com | http://wiki.obnosis.com | http://hackfest.obnosis.com
> (503)754-4452
> ________________________________
> January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security
> Forensics @ UAT 1/10/09 12-3PM
>
>
>> Date: Wed, 7 Jan 2009 16:19:17 -0700
>> From:
>> To:
>> Subject: OpenSSL, MD5, CA security flaws, oh my
>>
>> moin moin,
>>
>> Lisa has probably posted the second issue, but I'm a bit behind on the
>> list. The first one appears to be from today and I don't see anything from
>> her today.
>>
>> http://openssl.org/news/secadv_20090107.txt
>>
>> OK, so DSA and ECDSA certs in OpenSSL now are suspect, but RSA is still
>> safe, except...
>>
>> http://www.win.tue.nl/hashclash/rogue-ca/
>>
>> Hmm, it's possible to impersonate a CA and create RSA certs that'll be
>> accepted :(.
>>
>> I think the 'Outline of the attack' section indicates that the original CA
>> certificate is needed, so CAs moving away from MD5 can avoid the problem.
>>
>> ciao,
>>
>> der.hans
>> --
>> # http://www.LuftHans.com/ http://www.LuftHans.com/Classes/
>> # Strangers are friends just waiting to happen!
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ________________________________
> Windows Live™: Keep your life in sync. See how it works.
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss