1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - --------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-10 |
6 |
- - --------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE : openssl |
9 |
SUMMARY : timing based attack |
10 |
DATE : 2003-02-20 17:28 UTC |
11 |
EXPLOIT : remote |
12 |
|
13 |
- - --------------------------------------------------------------------- |
14 |
|
15 |
- From advisory: |
16 |
|
17 |
"The attack assumes that multiple SSL or TLS connections involve a |
18 |
common fixed plaintext block, such as a password. An active attacker |
19 |
can substitute specifically made-up ciphertext blocks for blocks sent |
20 |
by legitimate SSL/TLS parties and measure the time until a response |
21 |
arrives: SSL/TLS includes data authentication to ensure that such |
22 |
modified ciphertext blocks will be rejected by the peer (and the |
23 |
connection aborted), but the attacker may be able to use timing |
24 |
observations to distinguish between two different error cases, namely |
25 |
block cipher padding errors and MAC verification errors. This is |
26 |
sufficient for an adaptive attack that finally can obtain the complete |
27 |
plaintext block." |
28 |
|
29 |
Read the full advisory at: |
30 |
http://www.openssl.org/news/secadv_20030219.txt |
31 |
|
32 |
SOLUTION |
33 |
|
34 |
It is recommended that all Gentoo Linux users who are running |
35 |
dev-libs/openssl upgrade to openssl-0.9.6i or openssl-0.9.7a |
36 |
as follows: |
37 |
|
38 |
emerge sync |
39 |
emerge -u openssl |
40 |
emerge clean |
41 |
|
42 |
- - --------------------------------------------------------------------- |
43 |
aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz |
44 |
- - --------------------------------------------------------------------- |
45 |
-----BEGIN PGP SIGNATURE----- |
46 |
Version: GnuPG v1.2.1 (GNU/Linux) |
47 |
|
48 |
iD8DBQE+VRA6fT7nyhUpoZMRAhR+AKCLuEcwWB26YqBz6p05h0dt55QTNACdECVZ |
49 |
42cR0GYdllhIxECgdUhrcVA= |
50 |
=6DOA |
51 |
-----END PGP SIGNATURE----- |