l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2003 Mar 14 13:40

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] [Fwd: Vulnerability in OpenSSL]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] [Fwd: Vulnerability in OpenSSL]



On Fri, Mar 14, 2003 at 10:58:59AM -0800, ME wrote:
> An item that may have implications for other packages that compile against
> OpenSSL that include mod_ssl, openssh, and if you specified it in a bind
> install (or your package was so configured) BIND too.
[...]
> If this attack is addressed, then expect many new packages and package
> upgrades for your boxes from your Linux vendor for several packages
> related to encryption.

  There area patched ssl that went into Debian Feb 21... which fixes
timing-based attacks.

====
openssl (0.9.6c-2.woody.2) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Applied patch to fix vulnerability to timing-based attacks
    (see CAN-2003-0078)
  * Applied preventative measure patch by Richard Levitte
    <levitte@openssl.org>

 -- Martin Schulze <joey@infodrom.org>  Fri, 21 Feb 2003 16:34:17 +0100
====

  The people given credit for the paper leading to the patch are not 
the people in your report... 

http://lists.debian.org/debian-security-announce/debian-security-announce-2003/msg00035.html
===
A vulnerability has been discovered in OpenSSL, a Secure Socket Layer
(SSL) implementation.  In an upcoming paper, Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL,
Ilion) describe and demonstrate a timing-based attack on CBC cipher
suites used in SSL and TLS.  OpenSSL has been found to vulnerable to
this attack.
===

  David Brumley, doesn't report which version of ssl he was using in
his tests... so it's hard to tell if these two things are the same
issue or not.

- is there any indication on your list if this problem has already
  been fixed?

> -------- Original Message --------
> Subject: Vulnerability in OpenSSL
> From: David Brumley <dbrumley@stanford.edu>
> Date: Thu, March 13, 2003 3:59 pm
> To: bugtraq@securityfocus.com
> 
> Dan Boneh and I have been researching timing attacks against software
[...]
> To our knowledge, OpenSSL and derived crypto libraries are vulnerable.
[...]
> The results indicate that all crypto implementations should defend
> against timing attacks.
[...]
> http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
[...]
> -David Brumley
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.