Home page logo
/

bugtraq logo Bugtraq mailing list archives

Immunix Secured OS 7+ openssl update
From: Immunix Security Team <security () wirex com>
Date: Wed, 26 Mar 2003 18:24:12 -0800

-----------------------------------------------------------------------
        Immunix Secured OS Security Advisory

Packages updated:       openssl, openssh, mod_ssl
Affected products:      ImmunixOS 6.2, 7.0, 7+
Bugs fixed:             CAN-2003-0131 CAN-2003-0147
Date:                   Wed Mar 26 2003
Advisory ID:            IMNX-2003-7+-001-01
Author:                 Seth Arnold <sarnold () wirex com>
-----------------------------------------------------------------------

Description:
  This update fixes two problems with openssl packages and recompiles
  openssh and mod_ssl against the new version of openssl. Quoting from
  the OpenSSL advisory:
    Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an
    extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5
    padding as used in SSL 3.0 and TLS 1.0. Their attack requires the
    attacker to open millions of SSL/TLS connections to the server under
    attack; the server's behaviour when faced with specially made-up RSA
    ciphertexts can reveal information that in effect allows the attacker
    to perform a single RSA private key operation on a ciphertext of
    its choice using the server's RSA key. Note that the server's RSA
    key is not compromised in this attack.
  The other problem, quoting from the CERT advisory: David Brumley and Dan
    Boneh, researchers at Stanford University, have written a paper that
    demonstrates a practical attack that can be used to extract private
    keys from vulnerable RSA applications.  Using statistical techniques
    and carefully measuring the amount of time required to complete an
    RSA operation, an attacker can recover one of the factors (q) of the
    RSA key. [...] Under optimal conditions, a 1024-bit RSA private key
    was extracted in approximately two hours using ~350,000 guesses.

  References: http://www.kb.cert.org/vuls/id/997481
  http://www.openssl.org/news/secadv_20030319.txt

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/mod_ssl-2.8.12-1.7_imnx_2.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-3.4p1-1_imnx_10.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-askpass-3.4p1-1_imnx_10.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-clients-3.4p1-1_imnx_10.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssh-server-3.4p1-1_imnx_10.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-0.9.6g-1_imnx_2.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-devel-0.9.6g-1_imnx_2.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/openssl-perl-0.9.6g-1_imnx_2.i386.rpm

Immunix OS 7+ md5sums:
  17a8a4c07a421c0b0a98369d77d06ed4  openssh-3.4p1-1_imnx_10.i386.rpm
  59bffcfb9ca2fbe74e9d2eb3568d134a  openssh-askpass-3.4p1-1_imnx_10.i386.rpm
  37d2acf53c72ee23e5f9576557a5fd6e  openssh-clients-3.4p1-1_imnx_10.i386.rpm
  d61f9a2c3fc41f8dded88f2b84be2a83  openssh-server-3.4p1-1_imnx_10.i386.rpm
  ccb8fa2cce44efa243d368cf7785b9cf  openssl-0.9.6g-1_imnx_2.i386.rpm
  0ba9e8a2c9728a64ee4a89aa2cecd804  openssl-devel-0.9.6g-1_imnx_2.i386.rpm
  fa6f0d1dde78b941a8bc9147dfd7a5b6  openssl-perl-0.9.6g-1_imnx_2.i386.rpm
  490d4340e153daff3e3e4e548321e5af  mod_ssl-2.8.12-1.7_imnx_2.i386.rpm


GPG verification:                                                               
  Our public key is available at <http://wirex.com/security/GPG_KEY>.           

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security () wirex com  WireX 
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
  • Immunix Secured OS 7+ openssl update Immunix Security Team (Mar 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]