Test ID:	1.3.6.1.4.1.25623.1.0.55530
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-179-1 (weak)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to openssl announced via advisory USN-179-1. A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: openssl The current default algorithm for creating message digests (electronic signatures) for certificates created by openssl is MD5. However, this algorithm is not deemed secure any more, and some practical attacks have been demonstrated which could allow an attacker to forge certificates with a valid certification authority signature even if he does not know the secret CA signing key. Therefore all Ubuntu versions of openssl have now been changed to use SHA-1 by default. This is a more appropriate default algorithm for the majority of use cases however, if you still want to use MD5 as default, you can revert this change by changing the two instances of default_md = sha1 to default_md = md5 in /etc/ssl/openssl.cnf. A detailed explanation and further links can be found at http://www.cits.rub.de/MD5Collisions/ Solution: The problem can be corrected by upgrading the affected package to version 0.9.7d-3ubuntu0.2 (for Ubuntu 4.10), or 0.9.7e-3ubuntu0.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-179-1 Risk factor : High
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.