OpenBSD Journal

y Patch #011 for 3.2, 3.1

Contributed by jose on from the secure-man-is-now-blind dept.

thugwar writes:
"Another security patch for OpenBSD. "Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks." patch 011 for OpenBSD page is already available at"
The patch for 3.2-stable is available as patch 011 , and for 3.1-stable as patch 024 . The official OpenSSL group advisory located here is worth a read, too, and contains the link to the CVE candidate. The paper itself on this is pretty cool too (PDF) . Thank you, Todd, for the heads up.

(Comments are closed)

  1. By Shane () on

    Patch 12 for 3.2 and 25 for 3.1 just came out too.

    Todd Miller says:

    Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.

    Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.

    Patch for OpenBSD 3.1:

    Patch for OpenBSD 3.2:

    The OpenSSL advisory (from which the patches are derived) is:

    The following paper describes the attack in detail:

  2. By Anonymous Coward () on

    I don't understand, is patch #11 neccessary if I am running an OpenSSH daemon but not using SSL with Apache?

    1. By Anonymous Coward () on

      Everyone, unless you want to keep unsafe software around...

    2. By Anonymous Coward () on

      Well, doing an ldd on /usr/sbin/sshd doesn't show any ssl, so I take it that one can safely run sshd on an unpatched server.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]