[CLA-2003:570] Conectiva Linux Security Announcement - openssl

From: secureat_private
Date: Mon Feb 24 2003 - 14:27:14 PST

Next message: H D Moore: "Terminal Emulator Security Issues"

Previous message: John Howie: "RE: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : openssl
SUMMARY   : Information leak in encrypted connections
DATE      : 2003-02-24 19:25:00
ID        : CLA-2003:570
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and
 Transport Layer Security (TLS v1) protocols as well as full-strength
 general purpose cryptography functions. It's used (as a library) by
 several projects, like Apache, OpenSSH, Bind, OpenLDAP and many
 others clients and servers programs.
 
 In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
 Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
 demonstrate a timing-based attack on CBC ciphersuites in SSL and
 TLS.
 
 Vulnerable[2][3] openssl versions do not perform a MAC computation if
 an incorrect block cipher padding is used. An active attacker who can
 insert data into an existing encrypted connection is then able to
 measure time differences between the error messages the server sends.
 This information can make it easier to launch cryptographic attacks
 that rely on distinguishing between padding and MAC verification
 errors, possibly leading to extraction of the original plaintext.
 
 The openssl packages provided with this update are patched against
 this vulnerability.


SOLUTION
 It is recommended that all users upgrade their openssl packages.
 
 Please note that it is necessary to restart services which use the
 library (such as the apache web server with SSL enabled) so that the
 new, fixed, version is used. A list of such applications can be
 obtained after the upgrade with the following command:
 
 lsof | grep libssl
 
 The first column will contain the name of the application that needs
 to be restarted. If there is any doubt about which application has to
 be restarted or how to do it, we recommend that the system be
 rebooted.
 
 
 REFERENCES
 1. http://www.openssl.org/
 2. http://www.openssl.org/news/secadv_20030219.txt
 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-devel-0.9.6-4U60_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/openssl-0.9.6a-3U70_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-0.9.6a-3U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-0.9.6a-3U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-devel-static-0.9.6a-3U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-doc-0.9.6a-3U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/openssl-progs-0.9.6a-3U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_4cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-0.9.6c-2U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-devel-static-0.9.6c-2U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-doc-0.9.6c-2U80_4cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-progs-0.9.6c-2U80_4cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribeat_private
unsubscribe: conectiva-updates-unsubscribeat_private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+WpxB42jd0JmAcZARAlcJAKCTUTnwEV5FWbMiBNzwxP70+8+1pQCfdkB0
dRnnuP71tAjq2ezRKw9hchQ=
=VxfP
-----END PGP SIGNATURE-----

Next message: H D Moore: "Terminal Emulator Security Issues"
Previous message: John Howie: "RE: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 24 2003 - 14:32:26 PST