httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Darin Holloway" <jdhollo...@blue.net>
Subject Re: [users@httpd] openssl vulnerability
Date Thu, 06 Mar 2003 23:54:50 GMT
Patches, we don't need no stinking patches.

Darin Holloway
Web Developer and Systems Administrator
Bluegrass Network, LLC


----- Original Message -----
From: <gebser@ameritech.net>
To: "Apache Mailing List" <users@httpd.apache.org>
Sent: Thursday, March 06, 2003 4:58 PM
Subject: [users@httpd] openssl vulnerability


>
> Well, folks,
>
> Time to do another upgrade.
>
> -------------------------------------------------------
>
>                    Red Hat, Inc. Red Hat Security Advisory
>
> Synopsis:          Updated OpenSSL packages fix timing attack
> Advisory ID:       RHSA-2003:062-11
> Issue date:        2003-02-19
> Updated on:        2003-03-06
> Product:           Red Hat Linux
> Keywords:
> Cross references:
> Obsoletes:         RHSA-2002:160
> CVE Names:         CAN-2003-0078
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Updated OpenSSL packages are available that fix a potential timing-based
> attack.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 6.2 - i386
> Red Hat Linux 7.0 - i386
> Red Hat Linux 7.1 - i386
> Red Hat Linux 7.2 - i386, i686, ia64
> Red Hat Linux 7.3 - i386, i686
> Red Hat Linux 8.0 - i386, i686
>
> 3. Problem description:
>
> OpenSSL is a commercial-grade, full-featured, and open source toolkit
> that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
> Security (TLS v1) protocols as well as a full-strength general purpose
> cryptography library.
>
> In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
> Vuagnoux describe and demonstrate a timing-based attack on CBC
> ciphersuites in SSL and TLS.  An active attacker may be able to use
> timing observations to distinguish between two different error cases:
> cipher padding errors and MAC verification errors.  Over multiple
> connections this can leak sufficient information to make it possible to
> retrieve the plaintext of a common, fixed block.
>
> In order for an attack to be sucessful, an attacker must be able to act
> as a man-in-the-middle to intercept and modify multiple connections,
> which all involve a common fixed plaintext block (such as a password),
> and have good network conditions that allow small changes in timing to
> be reliably observed.
>
> These erratum packages contain a patch provided by the OpenSSL group
> that corrects this vulnerability.
>
> Because server applications are affected by these vulnerabilities, we
> advise users to restart all services that use OpenSSL functionality ...
>
> etc., etc., etc.
>
> For other platforms, see relevant documentation.
>
>
> Cheers,
> ken
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message