GLSA: stunnel (200303-24)

• Previous message: Axis Product Security: "Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-24
- - ---------------------------------------------------------------------

          PACKAGE : stunnel
          SUMMARY : timing based attack
             DATE : 2003-03-25 17:55 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : <3.22-r2 (unstable: <4.04)
    FIXED VERSION : >=3.22-r2 (unstable: >=4.04)
              CVE : CAN-2003-0147

- - ---------------------------------------------------------------------

- From advisory:

"Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on."

Read the full advisory at
http://www.openssl.org/news/secadv_20030317.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/stunnel upgrade to stunnel-3.22-r2 (unstable: stunnel-4.04) 
as follows:

emerge sync
emerge stunnel
emerge clean

- - ---------------------------------------------------------------------
alizat_private - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gJf+fT7nyhUpoZMRAhj+AKCmvPcPpDVzK3jV/mAIugKMYPlV/wCgxHhK
5RkR6hZvVdQGQjyr8lut6I0=
=NYot
-----END PGP SIGNATURE-----

• Next message: Roman Medina: "IIS 5.0 WebDAV -Proof of concept-. Fully documented."
• Previous message: Axis Product Security: "Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 11:48:38 PST