lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030220172843.83CC533B6A@mail1.tamperd.net>
From: aliz at gentoo.org (Daniel Ahlberg)
Subject: GLSA:  openssl (200302-10)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-10
- - ---------------------------------------------------------------------

PACKAGE : openssl
SUMMARY : timing based attack
DATE    : 2003-02-20 17:28 UTC
EXPLOIT : remote

- - ---------------------------------------------------------------------

- From advisory:

"The attack assumes that multiple SSL or TLS connections involve a
common fixed plaintext block, such as a password.  An active attacker
can substitute specifically made-up ciphertext blocks for blocks sent
by legitimate SSL/TLS parties and measure the time until a response
arrives: SSL/TLS includes data authentication to ensure that such
modified ciphertext blocks will be rejected by the peer (and the
connection aborted), but the attacker may be able to use timing
observations to distinguish between two different error cases, namely
block cipher padding errors and MAC verification errors.  This is
sufficient for an adaptive attack that finally can obtain the complete
plaintext block."

Read the full advisory at:
http://www.openssl.org/news/secadv_20030219.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
dev-libs/openssl upgrade to openssl-0.9.6i or openssl-0.9.7a 
as follows:

emerge sync
emerge -u openssl
emerge clean

- - ---------------------------------------------------------------------
aliz@...too.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+VRA6fT7nyhUpoZMRAhR+AKCLuEcwWB26YqBz6p05h0dt55QTNACdECVZ
42cR0GYdllhIxECgdUhrcVA=
=6DOA
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ