-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory February 20, 2003 | | http://www.engardelinux.org/ ESA-20030220-005 | | | | Packages: openssl, openssl-misc | | Summary: OpenSSL timing-based attack vulnerability. | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, e-commerce, and integrated open source security tools. OVERVIEW - -------- In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC cipher suites used in SSL and TLS. OpenSSL has been found to vulnerable to this attack. This update fixes these vulnerabilities. Please refer to the OpenSSL advisory for more information on this attack: http://www.openssl.org/news/secadv_20030219.txt The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0078 to this issue. SOLUTION - -------- Users of the EnGarde Professional edition can use the Guardian Digital Secure Network to update their systems automatically. EnGarde Community users should upgrade to the most recent version as outlined in this advisory. Updates may be obtained from: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh files You must now update the LIDS configuration by executing the command: # /usr/sbin/config_lids.pl To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signatures of the updated packages, execute the command: # rpm -Kv files UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux Community Edition. Source Packages: SRPMS/openssl-0.9.6-1.0.18.src.rpm MD5 Sum: 37aee34f5d230ceb5fe6d7ef5fbf69e6 Binary Packages: i386/openssl-0.9.6-1.0.18.i386.rpm MD5 Sum: df7657e406732b3abc7b7b3414bf07b2 i386/openssl-misc-0.9.6-1.0.18.i386.rpm MD5 Sum: d251465a15f7167dee9a0929af23edd9 i686/openssl-0.9.6-1.0.18.i686.rpm MD5 Sum: 707774a9ad3d06e6596b7389745ee89e i686/openssl-misc-0.9.6-1.0.18.i686.rpm MD5 Sum: e09d2a7e893f12247475a8821abee3da REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY OpenSSL's Official Web Site: http://www.openssl.org/ Security Contact: securityat_private EnGarde Advisories: http://www.engardelinux.org/advisories.html - -------------------------------------------------------------------------- $Id: ESA-20030220-005-openssl,v 1.1 2003/02/20 16:23:30 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple <ryanat_private> Copyright 2003, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+VQe/HD5cqd57fu0RApQaAJ0b3Aqixp7Uu1tQiy9wXLfSzOzVkQCeP5zp F8eSaKj6GArbudY6AHP5WZo= =GqQX -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email engarde-security-requestat_private with "unsubscribe" in the subject of the message. Copyright(c) 2002 Guardian Digital, Inc. EnGardeLinux.org ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 09:32:54 PST