PDA

Bekijk Volledige Versie : Security Update: [CSSA-2003-014.0] Linux: several recently discovered openssl vulnerabilities



security@sco.com
24/03/03, 21:50
--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


__________________________________________________ ____________________________

SCO Security Advisory

Subject: Linux: several recently discovered openssl vulnerabilities
Advisory number: CSSA-2003-014.0
Issue date: 2003 March 21
Cross reference:
__________________________________________________ ____________________________


1. Problem Description

Dan Boneh and David Brumley have successfully implemented an
RSA timing attack against openssl. This updated version guards
against this attack. In an upcoming paper, Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux
(EPFL, Ilion) describe and demonstrate a timing-based attack on
CBC ciphersuites in SSL and TLS.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to openssl-0.9.6-21.i386.rpm
prior to openssl-devel-0.9.6-21.i386.rpm
prior to openssl-devel-static-0.9.6-21.i386.rpm

OpenLinux 3.1.1 Workstation prior to openssl-0.9.6-21.i386.rpm
prior to openssl-devel-0.9.6-21.i386.rpm
prior to openssl-devel-static-0.9.6-21.i386.rpm

OpenLinux 3.1 Server prior to openssl-0.9.6-21.i386.rpm
prior to openssl-devel-0.9.6-21.i386.rpm
prior to openssl-devel-static-0.9.6-21.i386.rpm

OpenLinux 3.1 Workstation prior to openssl-0.9.6-21.i386.rpm
prior to openssl-devel-0.9.6-21.i386.rpm
prior to openssl-devel-static-0.9.6-21.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/RPMS

4.2 Packages

cae226f7eb06d23837e4f253c024cc77 openssl-0.9.6-21.i386.rpm
d80641bcdfc10fe4ada399fb17efe7fe openssl-devel-0.9.6-21.i386.rpm
0469172a21992665bc7b71f9c59d9139 openssl-devel-static-0.9.6-21.i386.rpm

4.3 Installation

rpm -Fvh openssl-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/SRPMS

4.5 Source Packages

d22d7c13968ba752f8907c009bafdcdd openssl-0.9.6-21.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/RPMS

5.2 Packages

83d5c8c6a3c02d5b7a4efd81fdb81327 openssl-0.9.6-21.i386.rpm
f8d72833634db5b626e4545ae9eea2b7 openssl-devel-0.9.6-21.i386.rpm
ebba78193c80631b38df0fdd21ce996a openssl-devel-static-0.9.6-21.i386.rpm

5.3 Installation

rpm -Fvh openssl-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/SRPMS

5.5 Source Packages

429d59854d06b6028b0e8b0006fee9c2 openssl-0.9.6-21.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/RPMS

6.2 Packages

ceaa6676fce906d6b047111c9498e30e openssl-0.9.6-21.i386.rpm
3df76d418a9597160366b87931a03e15 openssl-devel-0.9.6-21.i386.rpm
5ec798cfc52cf738f162bbe3399b143d openssl-devel-static-0.9.6-21.i386.rpm

6.3 Installation

rpm -Fvh openssl-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

6.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/SRPMS

6.5 Source Packages

b769a799583f9f132bfd6dd41397cbe8 openssl-0.9.6-21.src.rpm


7. OpenLinux 3.1 Workstation

7.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/RPMS

7.2 Packages

ce4782d57da7146f0351c443d3919a4a openssl-0.9.6-21.i386.rpm
1e979a4a13c91593130d521f3aa7da24 openssl-devel-0.9.6-21.i386.rpm
fcf784370792245c1ec0423322482561 openssl-devel-static-0.9.6-21.i386.rpm

7.3 Installation

rpm -Fvh openssl-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

7.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/SRPMS

7.5 Source Packages

9cab4a8e60af1089f35893c758d00ebc openssl-0.9.6-21.src.rpm


8. References

Specific references for this advisory:

http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
http://www.openssl.org/news/secadv_20030219.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147

SCO security resources:

http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr875560, fz527505,
erg712255.


9. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.

__________________________________________________ ____________________________

--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj57nxEACgkQbluZssSXDTH+iACffOmFXwukxD AHGRP1lGH/HhtC
0ScAn0Pu5i305LcAJ1/bN0KQDwNfUxbn
=Qkjn
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--