[Full-Disclosure] GLSA: stunnel (200303-24)

From: Daniel Ahlberg (aliz@gentoo.org)
Date: 03/25/03

  • Next message: Roman Drahtmueller: "[Full-Disclosure] SuSE Security Announcement: kernel (SuSE-SA:2003:021)" 
    From: Daniel Ahlberg <aliz@gentoo.org>
To: full-disclosure@lists.netsys.com
Date: Tue, 25 Mar 2003 18:55:16 +0100

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - ---------------------------------------------------------------------
    GENTOO LINUX SECURITY ANNOUNCEMENT 200303-24
    - - ---------------------------------------------------------------------

              PACKAGE : stunnel
              SUMMARY : timing based attack
                 DATE : 2003-03-25 17:55 UTC
              EXPLOIT : remote
    VERSIONS AFFECTED : <3.22-r2 (unstable: <4.04)
        FIXED VERSION : >=3.22-r2 (unstable: >=4.04)
                  CVE : CAN-2003-0147

    - - ---------------------------------------------------------------------

    - From advisory:

    "Researchers have discovered a timing attack on RSA keys, to which
    OpenSSL is generally vulnerable, unless RSA blinding has been turned
    on."

    Read the full advisory at
    http://www.openssl.org/news/secadv_20030317.txt

    SOLUTION

    It is recommended that all Gentoo Linux users who are running
    net-misc/stunnel upgrade to stunnel-3.22-r2 (unstable: stunnel-4.04)
    as follows:

    emerge sync
    emerge stunnel
    emerge clean

    - - ---------------------------------------------------------------------
    aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
    - - ---------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+gJf+fT7nyhUpoZMRAhj+AKCmvPcPpDVzK3jV/mAIugKMYPlV/wCgxHhK
    5RkR6hZvVdQGQjyr8lut6I0=
    =NYot
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Roman Drahtmueller: "[Full-Disclosure] SuSE Security Announcement: kernel (SuSE-SA:2003:021)"

    Relevant Pages

    • [Full-Disclosure] GLSA: mod_ssl (200303-23)
      ... "Researchers have discovered a timing attack on RSA keys, ... Read the full advisory at ... It is recommended that all Gentoo Linux users who are running ... emerge mod_ssl ...
      (Full-Disclosure)
    • GLSA: stunnel (200303-24)
      ... "Researchers have discovered a timing attack on RSA keys, ... Read the full advisory at ... It is recommended that all Gentoo Linux users who are running ... emerge stunnel ...
      (Bugtraq)
    • GLSA: mod_ssl (200303-23)
      ... "Researchers have discovered a timing attack on RSA keys, ... Read the full advisory at ... It is recommended that all Gentoo Linux users who are running ... emerge mod_ssl ...
      (Bugtraq)
    • [Full-Disclosure] GLSA: netscape-flash (200303-9)
      ... GENTOO LINUX SECURITY ANNOUNCEMENT 200303-9 ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge netscape-flash ...
      (Full-Disclosure)
    • [Full-Disclosure] GLSA: man (200303-13)
      ... Read the full advisory at: ... It is recommended that all Gentoo Linux users who are running ... emerge sync ...
      (Full-Disclosure)