OpenBSD Journal

y OpenSSL vulnerable to some timing attacks -- Patch 007 Availalable

Contributed by jose on from the infoleak-and-insecurity dept.

clvrmnky writes:
"I'm sure we all seen this already, but some crypto researchers found a timing vulnerability in OpenSSL. Only seems to affect release prior to 0.9.6i and 0.9.7a.

A patch is available for your OpenSSL source tree. Anyone know if recent releases of OpenBSD require patching? A cursory look at /usr/src/lib/libssl/src/CHANGES indicate it's a patched 0.9.6b release."

Actually, it was just updated this evening. According to errata.html , a patch for 3.2 has been released. Patch 007 fixes two issues in OpenSSL. It does not appear to be ported to the 3.1 release. This is the CVE entry CAN-2003-0078 , for those keeping track.
UPDATE: Patch 021 for 3.1-stable fixes this problem. Thanks, clvrmnky.

(Comments are closed)


Comments
  1. By schubert () on

    yes you do need to patch 3.2 with this. if you follow -STABLE you just need to go into /usr/src/lib/libssl and rebuild. you might also notice that some net code was changed in src/sys so you can rebuild your kernel also (not sure what the changes are right now).

  2. By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/

    The CVS tree reflects the changes for the 007_ssl patch and a pre-built binary patch is already available for i386.

    Thanks to all of you tracking binpatch, for your comments and support.

  3. By Anonymous Coward () on

    What type of threat does this vulnerability impose?

  4. By clvrmnky () on

    There's a patch for 3.1 , as well.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]