-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200302-10 - - --------------------------------------------------------------------- PACKAGE : openssl SUMMARY : timing based attack DATE : 2003-02-20 17:28 UTC EXPLOIT : remote - - --------------------------------------------------------------------- - From advisory: "The attack assumes that multiple SSL or TLS connections involve a common fixed plaintext block, such as a password. An active attacker can substitute specifically made-up ciphertext blocks for blocks sent by legitimate SSL/TLS parties and measure the time until a response arrives: SSL/TLS includes data authentication to ensure that such modified ciphertext blocks will be rejected by the peer (and the connection aborted), but the attacker may be able to use timing observations to distinguish between two different error cases, namely block cipher padding errors and MAC verification errors. This is sufficient for an adaptive attack that finally can obtain the complete plaintext block." Read the full advisory at: http://www.openssl.org/news/secadv_20030219.txt SOLUTION It is recommended that all Gentoo Linux users who are running dev-libs/openssl upgrade to openssl-0.9.6i or openssl-0.9.7a as follows: emerge sync emerge -u openssl emerge clean - - --------------------------------------------------------------------- alizat_private - GnuPG key is available at http://cvs.gentoo.org/~aliz - - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+VRA6fT7nyhUpoZMRAhR+AKCLuEcwWB26YqBz6p05h0dt55QTNACdECVZ 42cR0GYdllhIxECgdUhrcVA= =6DOA -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 12:14:06 PST