GLSA: openssl (200303-15)

From: Daniel Ahlberg (aliz@gentoo.org)
Date: 03/20/03

  • Next message: Matthias Leu: "Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"
    From: Daniel Ahlberg <aliz@gentoo.org>
    Date: Thu, 20 Mar 2003 10:20:26 +0100
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - ---------------------------------------------------------------------
    GENTOO LINUX SECURITY ANNOUNCEMENT 200303-15
    - - ---------------------------------------------------------------------

              PACKAGE : openssl
              SUMMARY : timing based attack
                 DATE : 2003-03-20 09:20 UTC
              EXPLOIT : remote
    VERSIONS AFFECTED : <0.9.6i-r1
        FIXED VERSION : >=0.9.6i-r1
                  CVE : CAN-2003-0147

    - - ---------------------------------------------------------------------

    - From advisory:

    "Researchers have discovered a timing attack on RSA keys, to which
    OpenSSL is generally vulnerable, unless RSA blinding has been turned
    on.

    Typically, it will not have been, because it is not easily possible to
    do so when using OpenSSL to provide SSL or TLS.

    The enclosed patch switches blinding on by default. Applications that
    wish to can remove the blinding with RSA_blinding_off(), but this is
    not generally advised. It is also possible to disable it completely by
    defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

    The performance impact of blinding appears to be small (a few
    percent)."

    Read the full advisory at
    http://www.openssl.org/news/secadv_20030317.txt

    SOLUTION

    It is recommended that all Gentoo Linux users who are running
    dev-libs/openssl upgrade to openssl-0.9.6i-r1 as follows:

    emerge sync
    emerge openssl
    emerge clean

    - - ---------------------------------------------------------------------
    aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
    - - ---------------------------------------------------------------------
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQE+eYfYfT7nyhUpoZMRAsEPAJ9+YC89ZmQ1YfS/vRwj4Zd6DR4sngCbBM6Y
    WTQ5c9ECLigqgvOnhaPZe/w=
    =g1MD
    -----END PGP SIGNATURE-----


  • Next message: Matthias Leu: "Re: Check Point FW-1 NG FP3 & FP3 HF1: DoS attack against syslog daemon possible"