OpenSSL Hit by Forgery Bug
Daniel Cray writes to tell us ZDNet is reporting that OpenSSL versions up to 0.9.7j and 0.9.8b are vulnerable to a signature forgery technique. OpenSSL has already released an update fixing the problem. From the article: "The flaw only affects a particular type of signature — PKCS #1 v1.5 signatures — but these are used by some certificate authorities... The signature forgery technique was first demonstrated last month at the Crypto 2006 conference by Daniel Bleichenbacher, a cryptographer with Bell Labs, according to security firm Netcraft. OpenSSL credited Google Security with successfully forging various certificates and providing the fix."
This one is already fixed in Debian's openssl version 0.9.8b-3 in -testing (-unstable now has 0.9.8c-1), and 0.9.7e-3sarge2 in -stable-security.
This is one of the reasons I run Debian. Important things like this get fixed quickly and updating is painless, thanks to apt-get.
I expect that Ubuntu is similarly responsive. I know that it's just as easy to keep updated, since they use the same packaging and dependency-tracking mechanisms.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Get:1 http://ftp.debian.org/ unstable/main libssl0.9.7 0.9.7k-1 [2279kB]