y Patch #011 for 3.2, 3.1

Contributed by jose on 2003-03-19 from the secure-man-is-now-blind dept.

"Another security patch for OpenBSD. "Various SSL and TLS operations in OpenSSL are vulnerable to timing attacks." patch 011 for OpenBSD page is already available at www.openbsd.org/errata.html"

The patch for 3.2-stable is available as patch 011 , and for 3.1-stable as patch 024 . The official OpenSSL group advisory located here is worth a read, too, and contains the link to the CVE candidate. The paper itself on this is pretty cool too (PDF) . Thank you, Todd, for the heads up.

(Comments are closed)

Comments

By Shane () on 2003-03-20 12:29

Patch 12 for 3.2 and 25 for 3.1 just came out too.

Todd Miller says:

Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.

Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/025_kpr.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/012_kpr.patch

The OpenSSL advisory (from which the patches are derived) is:
http://www.openssl.org/news/secadv_20030319.txt

The following paper describes the attack in detail:
http://eprint.iacr.org/2003/052/
By Anonymous Coward () on 2003-03-20 09:39

I don't understand, is patch #11 neccessary if I am running an OpenSSH daemon but not using SSL with Apache?
Comments
1. By Anonymous Coward () on 2003-03-20 10:49
  
  Everyone, unless you want to keep unsafe software around...
2. By Anonymous Coward () on 2003-03-22 14:17
  
  Well, doing an ldd on /usr/sbin/sshd doesn't show any ssl, so I take it that one can safely run sshd on an unpatched server.

Latest Articles

Wed, Apr 24
- 04:35 Game of Trees 0.98 released (0)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]