Contributed by jose on from the infoleak-and-insecurity dept.
"I'm sure we all seen this already, but some crypto researchers found a timing vulnerability in OpenSSL. Only seems to affect release prior to 0.9.6i and 0.9.7a.Actually, it was just updated this evening. According to errata.html , a patch for 3.2 has been released. Patch 007 fixes two issues in OpenSSL. It does not appear to be ported to the 3.1 release. This is the CVE entry CAN-2003-0078 , for those keeping track.A patch is available for your OpenSSL source tree. Anyone know if recent releases of OpenBSD require patching? A cursory look at /usr/src/lib/libssl/src/CHANGES indicate it's a patched 0.9.6b release."
UPDATE: Patch 021 for 3.1-stable fixes this problem. Thanks, clvrmnky.
(Comments are closed)
By schubert () on
By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/
The CVS tree reflects the changes for the 007_ssl patch and a pre-built binary patch is already available for i386.
Thanks to all of you tracking binpatch, for your comments and support.
By Anonymous Coward () on
By clvrmnky () on