1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - --------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-20 |
6 |
- - --------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE : openssl |
9 |
SUMMARY : Klima-Pokorny-Rosa attack |
10 |
DATE : 2003-03-24 11:51 UTC |
11 |
EXPLOIT : remote |
12 |
VERSIONS AFFECTED : <0.9.6i-r2 |
13 |
FIXED VERSION : >=0.9.6i-r2 |
14 |
CVE : CAN-2003-0131 |
15 |
|
16 |
- - --------------------------------------------------------------------- |
17 |
|
18 |
- From advisory: |
19 |
|
20 |
"Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa |
21 |
have come up with an extension of the "Bleichenbacher attack" on RSA |
22 |
with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their |
23 |
attack requires the attacker to open millions of SSL/TLS connections |
24 |
to the server under attack; the server's behaviour when faced with |
25 |
specially made-up RSA ciphertexts can reveal information that in |
26 |
effect allows the attacker to perform a single RSA private key |
27 |
operation on a ciphertext of its choice using the server's RSA key. |
28 |
Note that the server's RSA key is not compromised in this attack." |
29 |
|
30 |
Read the full advisory at: |
31 |
http://www.openssl.org/news/secadv_20030319.txt |
32 |
|
33 |
SOLUTION |
34 |
|
35 |
It is recommended that all Gentoo Linux users who are running |
36 |
dev-libs/openssl upgrade to openssl-0.9.6i-r2 as follows: |
37 |
|
38 |
emerge sync |
39 |
emerge openssl |
40 |
emerge clean |
41 |
|
42 |
- - --------------------------------------------------------------------- |
43 |
aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz |
44 |
- - --------------------------------------------------------------------- |
45 |
-----BEGIN PGP SIGNATURE----- |
46 |
Version: GnuPG v1.2.1 (GNU/Linux) |
47 |
|
48 |
iD8DBQE+fvEtfT7nyhUpoZMRAjGBAJ9fkr/E5rMWv7Sp1YBg+3rRNqbS6wCglHh8 |
49 |
XW2wBWHA0/W3NXOz+ONEFTg= |
50 |
=l0Nr |
51 |
-----END PGP SIGNATURE----- |