Home page logo
/

bugtraq logo Bugtraq mailing list archives

Security Update: [CSSA-2003-014.0] Linux: several recently discovered openssl vulnerabilities
From: security () sco com
Date: Fri, 21 Mar 2003 15:24:01 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com


______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: several recently discovered openssl vulnerabilities
Advisory number:        CSSA-2003-014.0
Issue date:             2003 March 21
Cross reference:
______________________________________________________________________________


1. Problem Description

        Dan Boneh and David Brumley have successfully implemented an
        RSA timing attack against openssl. This updated version guards
        against this attack. In an upcoming paper, Brice Canvel (EPFL),
        Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux
        (EPFL, Ilion) describe and demonstrate a timing-based attack on
        CBC ciphersuites in SSL and TLS.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to openssl-0.9.6-21.i386.rpm
                                        prior to openssl-devel-0.9.6-21.i386.rpm
                                        prior to openssl-devel-static-0.9.6-21.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to openssl-0.9.6-21.i386.rpm
                                        prior to openssl-devel-0.9.6-21.i386.rpm
                                        prior to openssl-devel-static-0.9.6-21.i386.rpm

        OpenLinux 3.1 Server            prior to openssl-0.9.6-21.i386.rpm
                                        prior to openssl-devel-0.9.6-21.i386.rpm
                                        prior to openssl-devel-static-0.9.6-21.i386.rpm

        OpenLinux 3.1 Workstation       prior to openssl-0.9.6-21.i386.rpm
                                        prior to openssl-devel-0.9.6-21.i386.rpm
                                        prior to openssl-devel-static-0.9.6-21.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/RPMS

        4.2 Packages

        cae226f7eb06d23837e4f253c024cc77        openssl-0.9.6-21.i386.rpm
        d80641bcdfc10fe4ada399fb17efe7fe        openssl-devel-0.9.6-21.i386.rpm
        0469172a21992665bc7b71f9c59d9139        openssl-devel-static-0.9.6-21.i386.rpm

        4.3 Installation

        rpm -Fvh openssl-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/SRPMS

        4.5 Source Packages

        d22d7c13968ba752f8907c009bafdcdd        openssl-0.9.6-21.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/RPMS

        5.2 Packages

        83d5c8c6a3c02d5b7a4efd81fdb81327        openssl-0.9.6-21.i386.rpm
        f8d72833634db5b626e4545ae9eea2b7        openssl-devel-0.9.6-21.i386.rpm
        ebba78193c80631b38df0fdd21ce996a        openssl-devel-static-0.9.6-21.i386.rpm

        5.3 Installation

        rpm -Fvh openssl-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/SRPMS

        5.5 Source Packages

        429d59854d06b6028b0e8b0006fee9c2        openssl-0.9.6-21.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/RPMS

        6.2 Packages

        ceaa6676fce906d6b047111c9498e30e        openssl-0.9.6-21.i386.rpm
        3df76d418a9597160366b87931a03e15        openssl-devel-0.9.6-21.i386.rpm
        5ec798cfc52cf738f162bbe3399b143d        openssl-devel-static-0.9.6-21.i386.rpm

        6.3 Installation

        rpm -Fvh openssl-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/SRPMS

        6.5 Source Packages

        b769a799583f9f132bfd6dd41397cbe8        openssl-0.9.6-21.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/RPMS

        7.2 Packages

        ce4782d57da7146f0351c443d3919a4a        openssl-0.9.6-21.i386.rpm
        1e979a4a13c91593130d521f3aa7da24        openssl-devel-0.9.6-21.i386.rpm
        fcf784370792245c1ec0423322482561        openssl-devel-static-0.9.6-21.i386.rpm

        7.3 Installation

        rpm -Fvh openssl-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
        rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/SRPMS

        7.5 Source Packages

        9cab4a8e60af1089f35893c758d00ebc        openssl-0.9.6-21.src.rpm


8. References

        Specific references for this advisory:

                http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
                http://www.openssl.org/news/secadv_20030219.txt
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr875560, fz527505,
        erg712255.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

______________________________________________________________________________

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Security Update: [CSSA-2003-014.0] Linux: several recently discovered openssl vulnerabilities security (Mar 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault