Debian Security Advisory

DSA-1701-1 openssl, openssl097 -- interpretation conflict

Date Reported:
12 Jan 2009
Affected Packages:
openssl, openssl097
Security database references:
In the Debian bugtracking system: Bug 511196.
In Mitre's CVE dictionary: CVE-2008-5077.
More information:

It was discovered that OpenSSL does not properly verify DSA signatures on X.509 certificates due to an API misuse, potentially leading to the acceptance of incorrect X.509 certificates as genuine (CVE-2008-5077).

For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch4 of the openssl package, and version 0.9.7k-3.1etch2 of the openssl097 package.

For the unstable distribution (sid), this problem has been fixed in version 0.9.8g-15.

The testing distribution (lenny) will be fixed soon.

We recommend that you upgrade your OpenSSL packages.

Fixed in:

Debian GNU/Linux 4.0 (etch)

HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.