Contributed by jose on from the not-a-good-week-for-OpenSSL dept.
"Patch 12 for 3.2 and 25 for 3.1 just came out too.The report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa is available now , too. Thanks Shane, and thank you Todd.
Todd Miller says:
Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.
Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.
The OpenSSL advisory (from which the patches are derived) is here ."
(Comments are closed)