Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: openssl (200303-20)
Date: Mon, 24 Mar 2003 11:57:04
Message-Id: 20030324115117.18D53338BF@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200303-20
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : openssl
9 SUMMARY : Klima-Pokorny-Rosa attack
10 DATE : 2003-03-24 11:51 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <0.9.6i-r2
13 FIXED VERSION : >=0.9.6i-r2
14 CVE : CAN-2003-0131
15
16 - - ---------------------------------------------------------------------
17
18 - From advisory:
19
20 "Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
21 have come up with an extension of the "Bleichenbacher attack" on RSA
22 with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their
23 attack requires the attacker to open millions of SSL/TLS connections
24 to the server under attack; the server's behaviour when faced with
25 specially made-up RSA ciphertexts can reveal information that in
26 effect allows the attacker to perform a single RSA private key
27 operation on a ciphertext of its choice using the server's RSA key.
28 Note that the server's RSA key is not compromised in this attack."
29
30 Read the full advisory at:
31 http://www.openssl.org/news/secadv_20030319.txt
32
33 SOLUTION
34
35 It is recommended that all Gentoo Linux users who are running
36 dev-libs/openssl upgrade to openssl-0.9.6i-r2 as follows:
37
38 emerge sync
39 emerge openssl
40 emerge clean
41
42 - - ---------------------------------------------------------------------
43 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
44 - - ---------------------------------------------------------------------
45 -----BEGIN PGP SIGNATURE-----
46 Version: GnuPG v1.2.1 (GNU/Linux)
47
48 iD8DBQE+fvEtfT7nyhUpoZMRAjGBAJ9fkr/E5rMWv7Sp1YBg+3rRNqbS6wCglHh8
49 XW2wBWHA0/W3NXOz+ONEFTg=
50 =l0Nr
51 -----END PGP SIGNATURE-----