Contributed by jose on from the not-a-good-week-for-OpenSSL dept.
"Patch 12 for 3.2 and 25 for 3.1 just came out too.The report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa is available now , too. Thanks Shane, and thank you Todd.Todd Miller says:
Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.
Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.
Patch for OpenBSD 3.1: Patch 025
Patch for OpenBSD 3.2: Patch 012The OpenSSL advisory (from which the patches are derived) is here ."
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
For 011:
Apply by doing:
cd /usr/src
patch -p0 <011_blinding.patch
And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install
For 012:
Apply by doing:
cd /usr/src
patch -p0 <012_kpr.patch
And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install
So here's what I did:
Apply by doing:
cd /usr/src
patch -p0 <011_blinding.patch
patch -p0 <012_kpr.patch
And then rebuild and install OpenSSL:
rm -fr /usr/obj/lib/libssl
cd lib/libssl
make obj
make cleandir
make depend
make
make install
But don't I have to make sure that currently running processes that might have been using libssl start using the new code? How do I find out which processes use libssl? Can I just SIGHUP those processess? 012_kpr.patch
011_blinding.patch
012_kpr.patch
011_blinding.patch
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
examine running programs with ldd
restart as necessary (not kill -1), no need to reboot, as bug does not affect kernel
By Anonymous Coward () on
Comments
By Anonymous Coward () on