---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: OpenSSL FIPS Object Module PRNG Security Issue SECUNIA ADVISORY ID: SA27859 VERIFY ADVISORY: http://secunia.com/advisories/27859/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: OpenSSL FIPS Object Module 1.x http://secunia.com/product/16765/ DESCRIPTION: A security issue has been reported in OpenSSL, which can potentially be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to an error in the implementation of the Pseudo Random Number Generator (PRNG), where a PRNG key and seed are used that correspond to the last FIPS self-test. This leads to predictable generated random data and may weaken the security of applications relying on the module. The security issue affects version 1.1.1. SOLUTION: The vendor has issued two patches that demonstrate fixes for the security issue. http://www.openssl.org/news/patch-CVE-2007-5502-1.txt http://www.openssl.org/news/patch-CVE-2007-5502-2.txt The vendor recommends waiting for official approval of a patched distribution. No changes are permitted for FIPS 140-2 validated software without prior official approval. PROVIDED AND/OR DISCOVERED BY: The vendor credits Geoff Lowe of Secure Computing Corporation. ORIGINAL ADVISORY: http://www.openssl.org/news/secadv_20071129.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------