USN-113-1: libnet-ssleay-perl vulnerability

3 May 2005

libnet-ssleay-perl vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04

Software Description

Details

Javier Fernandez-Sanguino Pena discovered that this library used the file /tmp/entropy as a fallback entropy source if a proper source was not set in the environment variable EGD_PATH. This can potentially lead to weakened cryptographic operations if an attacker provides a /tmp/entropy file with known content.

The updated package requires the specification of an entropy source with EGD_PATH and also requires that the source is a socket (as opposed to a normal file).

Please note that this only affects systems which have egd installed from third party sources; egd is not shipped with Ubuntu.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04
libnet-ssleay-perl

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References