Re: OpenSSL-0.9.6a has security fixes

From: Steven M. Bellovin (smbat_private)
Date: Thu Apr 26 2001 - 10:08:18 PDT

Next message: James W. Abendschan: "Re: Oracle8 denial of service"

Previous message: neme-dhcat_private: "Re: Advisory for perl webserver"
Maybe in reply to: Jim Knoble: "OpenSSL-0.9.6a has security fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <3AE70975.F9B60B6F@core-sdi.com>, Ariel Waissbein writes:
>There seems to be an typo in the following post. It is RSA and not DSA.
>The source, OpenSSL's webpage, has the same typo. Refer to
>http://www.securityfocus.com/bid/2344
>(or http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm).
>
>Daniel Bleichenbacher's webpage at Bell is
>http://www.bell-labs.com/user/bleichen/bib.html

Hmm -- Bleichenbacher has found a flaw in DSA, too; see
http://www.lucent.com/press/0201/010205.bla.html.  Last time I spoke
with him, the full technical paper was not yet available; it's supposed to
be presented next month at EUROCRYPT.

But I have no idea if OpenSSL has actually fixed that problem...

		--Steve Bellovin, http://www.research.att.com/~smb

Next message: James W. Abendschan: "Re: Oracle8 denial of service"
Previous message: neme-dhcat_private: "Re: Advisory for perl webserver"
Maybe in reply to: Jim Knoble: "OpenSSL-0.9.6a has security fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 22:23:27 PDT