Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: stunnel (200303-24)
Date: Tue, 25 Mar 2003 17:56:51
Message-Id: 20030325175408.4CEC95765@mail2.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200303-24
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : stunnel
9 SUMMARY : timing based attack
10 DATE : 2003-03-25 17:55 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <3.22-r2 (unstable: <4.04)
13 FIXED VERSION : >=3.22-r2 (unstable: >=4.04)
14 CVE : CAN-2003-0147
15
16 - - ---------------------------------------------------------------------
17
18 - From advisory:
19
20 "Researchers have discovered a timing attack on RSA keys, to which
21 OpenSSL is generally vulnerable, unless RSA blinding has been turned
22 on."
23
24 Read the full advisory at
25 http://www.openssl.org/news/secadv_20030317.txt
26
27 SOLUTION
28
29 It is recommended that all Gentoo Linux users who are running
30 net-misc/stunnel upgrade to stunnel-3.22-r2 (unstable: stunnel-4.04)
31 as follows:
32
33 emerge sync
34 emerge stunnel
35 emerge clean
36
37 - - ---------------------------------------------------------------------
38 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
39 - - ---------------------------------------------------------------------
40 -----BEGIN PGP SIGNATURE-----
41 Version: GnuPG v1.2.1 (GNU/Linux)
42
43 iD8DBQE+gJf+fT7nyhUpoZMRAhj+AKCmvPcPpDVzK3jV/mAIugKMYPlV/wCgxHhK
44 5RkR6hZvVdQGQjyr8lut6I0=
45 =NYot
46 -----END PGP SIGNATURE-----