y Patches available for Klima-Pokorny-Rosa attack

Contributed by jose on 2003-03-20 from the not-a-good-week-for-OpenSSL dept.

Shane pointed this out to us:

"Patch 12 for 3.2 and 25 for 3.1 just came out too.
Todd Miller says:
Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.
Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.
Patch for OpenBSD 3.1: Patch 025
Patch for OpenBSD 3.2: Patch 012
The OpenSSL advisory (from which the patches are derived) is here ."

The report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa is available now , too. Thanks Shane, and thank you Todd.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-03-20 02:08

2 patches for rather 'academic' security holes in one day... those researchers sure have been busy today ;)
Comments
1. By Anonymous Coward () on 2003-03-20 10:12
  
  they conducted succesful demonstration - so the insecurities vent from academic papers to industry-grade strength
2. By Anonymous Coward () on 2003-03-20 10:16
  
  I know this iss realy off Topic but i cant find the link to comment the Story directly. As a whole bunch of people commenting the storys here, i always comment the first comment of the story, and NOT the Story itself, just as this comment again. Maybe someone can tell me where my red, wracked eyes should scan for a linkt to comment the Story directly. Thank you for any respond to this ... :)
  Comments
  1. By Anonymous Coward () on 2003-03-20 11:43
    
    >
  2. By Anonymous Coward () on 2003-03-20 11:43
    
    >
  3. By Anonymous Coward () on 2003-03-20 11:44
    
    This is funny, i wanted to paste the > and <br> all i got was > <br>
  4. By Anonymous Coward () on 2003-03-20 11:45
    
    And it parses html..
  5. By Anonymous Coward () on 2003-03-21 00:39
    
    Open the detailed view of the story (with comments), then, above the first comment, there are some links: a link to the previous story, a reply link (this is the one you need), a flattened/threaded link, and optionally a link to the next story (if there is a next story)
By Anonymous Coward () on 2003-03-20 14:52

So I downloaded patch 011 and 012. I used head to see what I should do with them. I did those steps. But I can't help but think that there's a step missing. Here are the steps:

For 011:

Apply by doing:
cd /usr/src
patch -p0 <011_blinding.patch

And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install

For 012:

Apply by doing:
cd /usr/src
patch -p0 <012_kpr.patch

And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install

So here's what I did:

Apply by doing:
cd /usr/src
patch -p0 <011_blinding.patch
patch -p0 <012_kpr.patch

And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install

But don't I have to make sure that currently running processes that might have been using libssl start using the new code? How do I find out which processes use libssl? Can I just SIGHUP those processess?
Comments
1. By Anonymous Coward () on 2003-03-20 18:26
  
  ldd `which httpd`
2. By Anonymous Coward () on 2003-03-21 12:29
  
  stop/start affected daemons or reboot if you're not sure what links it in
  Comments
  1. By Anonymous Coward () on 2003-03-21 22:51
    
    examine ps aux output
    examine running programs with ldd
    restart as necessary (not kill -1), no need to reboot, as bug does not affect kernel
By Anonymous Coward () on 2003-03-21 05:50

What's OpenBSD going to deal with OpenSSL?
Comments
1. By Anonymous Coward () on 2003-03-22 09:41
  
  It is included in base distribution, not in optional ports

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]