Contributed by jose on from the infoleak-and-insecurity dept.
"I'm sure we all seen this already, but some crypto researchers found a timing vulnerability in OpenSSL. Only seems to affect release prior to 0.9.6i and 0.9.7a.Actually, it was just updated this evening. According to errata.html , a patch for 3.2 has been released. Patch 007 fixes two issues in OpenSSL. It does not appear to be ported to the 3.1 release. This is the CVE entry CAN-2003-0078 , for those keeping track.
A patch is available for your OpenSSL source tree. Anyone know if recent releases of OpenBSD require patching? A cursory look at /usr/src/lib/libssl/src/CHANGES indicate it's a patched 0.9.6b release."
UPDATE: Patch 021 for 3.1-stable fixes this problem. Thanks, clvrmnky.
(Comments are closed)