7 January 2009
Certification agencies have responded to work by a research group which demonstrated the lack of security of MD5 by faking a certificate that allowed them to issue further certificates with arbitrary identities. This was somewhat inevitable; MD5 was theoretically broken as long ago as 2004 and the method used for the collision attack has been known since 2007.
German certification authority TC Trustcenter is asserting that its placement on a list of CAs that still use MD5 is a little unjust. The organisation states that since 2007 "All certificates issued to its customers since that time use other hash procedures, such as SHA-1". It further notes that the only place it has continued to use MD5-based certificates is for a few of its own servers. This does indeed prevent the specific attack scenario, but it hardly seems likely to engender confidence among users. Trustcenter has at least started to replace these certificates.
More: http://www.heise-online.co.uk/security/Certification-authorities-respond-to-MD5-hack--/news/112362
Red Hat update for xen
Release Date: 2009-01-07
Critical:
Not critical
Impact: Security Bypass
Where: Local system
Solution Status: Vendor Patch
OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Description:
Red Hat has issued an update for xen. This fixes a weakness, which can be exploited by malicious, local users in a Xen DomU to bypass certain security restrictions.
For more information:
SA32064
Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com
Original Advisory:
RHSA-2009-0003:
https://rhn.redhat.com/errata/RHSA-2009-0003.html
Other References:
SA32064:
http://secunia.com/advisories/32064/
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic