httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geb...@ameritech.net
Subject [users@httpd] openssl vulnerability
Date Thu, 06 Mar 2003 22:58:52 GMT

Well, folks,

Time to do another upgrade.

-------------------------------------------------------

                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated OpenSSL packages fix timing attack
Advisory ID:       RHSA-2003:062-11
Issue date:        2003-02-19
Updated on:        2003-03-06
Product:           Red Hat Linux
Keywords:          
Cross references:  
Obsoletes:         RHSA-2002:160
CVE Names:         CAN-2003-0078
---------------------------------------------------------------------

1. Topic:

Updated OpenSSL packages are available that fix a potential timing-based
attack.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - i386
Red Hat Linux 7.0 - i386
Red Hat Linux 7.1 - i386
Red Hat Linux 7.2 - i386, i686, ia64
Red Hat Linux 7.3 - i386, i686
Red Hat Linux 8.0 - i386, i686

3. Problem description:

OpenSSL is a commercial-grade, full-featured, and open source toolkit
that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols as well as a full-strength general purpose
cryptography library.

In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
Vuagnoux describe and demonstrate a timing-based attack on CBC
ciphersuites in SSL and TLS.  An active attacker may be able to use
timing observations to distinguish between two different error cases:
cipher padding errors and MAC verification errors.  Over multiple
connections this can leak sufficient information to make it possible to
retrieve the plaintext of a common, fixed block.

In order for an attack to be sucessful, an attacker must be able to act
as a man-in-the-middle to intercept and modify multiple connections,
which all involve a common fixed plaintext block (such as a password),
and have good network conditions that allow small changes in timing to
be reliably observed.

These erratum packages contain a patch provided by the OpenSSL group
that corrects this vulnerability.

Because server applications are affected by these vulnerabilities, we
advise users to restart all services that use OpenSSL functionality ...

etc., etc., etc.

For other platforms, see relevant documentation.


Cheers,
ken




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message