Contributed by jose on from the secure-man-is-now-blind dept.
"Another security patch for OpenBSD. "Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks." patch 011 for OpenBSD page is already available at www.openbsd.org/errata.html"The patch for 3.2-stable is available as patch 011 , and for 3.1-stable as patch 024 . The official OpenSSL group advisory located here is worth a read, too, and contains the link to the CVE candidate. The paper itself on this is pretty cool too (PDF) . Thank you, Todd, for the heads up.
(Comments are closed)
By Shane () on
Todd Miller says:
Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.
Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.
Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/025_kpr.patch
Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/012_kpr.patch
The OpenSSL advisory (from which the patches are derived) is:
http://www.openssl.org/news/secadv_20030319.txt
The following paper describes the attack in detail:
http://eprint.iacr.org/2003/052/
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on