drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Entschlüsselung von Text aufgrund von Zeitmessungen in openssl
Name: |
Entschlüsselung von Text aufgrund von Zeitmessungen in openssl
|
|
ID: |
CSSA-2003-014.0 |
|
Distribution: |
Caldera |
|
Plattformen: |
Caldera Server 3.1, Caldera Workstation 3.1, Caldera Server 3.1.1, Caldera Workstation 3.1.1 |
|
Datum: |
Sa, 22. März 2003, 12:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
OpenSSL |
|
Originalnachricht |
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: several recently discovered openssl vulnerabilities Advisory number: CSSA-2003-014.0 Issue date: 2003 March 21 Cross reference: ______________________________________________________________________________
1. Problem Description
Dan Boneh and David Brumley have successfully implemented an RSA timing attack against openssl. This updated version guards against this attack. In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.
2. Vulnerable Supported Versions
System Package ----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to openssl-0.9.6-21.i386.rpm prior to openssl-devel-0.9.6-21.i386.rpm prior to openssl-devel-static-0.9.6-21.i386.rpm
OpenLinux 3.1.1 Workstation prior to openssl-0.9.6-21.i386.rpm prior to openssl-devel-0.9.6-21.i386.rpm prior to openssl-devel-static-0.9.6-21.i386.rpm
OpenLinux 3.1 Server prior to openssl-0.9.6-21.i386.rpm prior to openssl-devel-0.9.6-21.i386.rpm prior to openssl-devel-static-0.9.6-21.i386.rpm
OpenLinux 3.1 Workstation prior to openssl-0.9.6-21.i386.rpm prior to openssl-devel-0.9.6-21.i386.rpm prior to openssl-devel-static-0.9.6-21.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/RPMS
4.2 Packages
cae226f7eb06d23837e4f253c024cc77 openssl-0.9.6-21.i386.rpm d80641bcdfc10fe4ada399fb17efe7fe openssl-devel-0.9.6-21.i386.rpm 0469172a21992665bc7b71f9c59d9139 openssl-devel-static-0.9.6-21.i386.rpm
4.3 Installation
rpm -Fvh openssl-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/SRPMS
4.5 Source Packages
d22d7c13968ba752f8907c009bafdcdd openssl-0.9.6-21.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/RPMS
5.2 Packages
83d5c8c6a3c02d5b7a4efd81fdb81327 openssl-0.9.6-21.i386.rpm f8d72833634db5b626e4545ae9eea2b7 openssl-devel-0.9.6-21.i386.rpm ebba78193c80631b38df0fdd21ce996a openssl-devel-static-0.9.6-21.i386.rpm
5.3 Installation
rpm -Fvh openssl-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm
5.4 Source Package Location
SRPMS
5.5 Source Packages
429d59854d06b6028b0e8b0006fee9c2 openssl-0.9.6-21.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/RPMS
6.2 Packages
ceaa6676fce906d6b047111c9498e30e openssl-0.9.6-21.i386.rpm 3df76d418a9597160366b87931a03e15 openssl-devel-0.9.6-21.i386.rpm 5ec798cfc52cf738f162bbe3399b143d openssl-devel-static-0.9.6-21.i386.rpm
6.3 Installation
rpm -Fvh openssl-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/SRPMS
6.5 Source Packages
b769a799583f9f132bfd6dd41397cbe8 openssl-0.9.6-21.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/RPMS
7.2 Packages
ce4782d57da7146f0351c443d3919a4a openssl-0.9.6-21.i386.rpm 1e979a4a13c91593130d521f3aa7da24 openssl-devel-0.9.6-21.i386.rpm fcf784370792245c1ec0423322482561 openssl-devel-static-0.9.6-21.i386.rpm
7.3 Installation
rpm -Fvh openssl-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-0.9.6-21.i386.rpm rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/SRPMS
7.5 Source Packages
9cab4a8e60af1089f35893c758d00ebc openssl-0.9.6-21.src.rpm
8. References
Specific references for this advisory:
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html http://www.openssl.org/news/secadv_20030219.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr875560, fz527505, erg712255.
9. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.
______________________________________________________________________________
|
|
|
|