OpenPKG CVS Repository
http://cvs.openpkg.org/
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 20-Mar-2003 21:17:54
Branch: HEAD Handle: 2003032020175300
Added files:
openpkg-web/securityOpenPKG-SA-2003.026-openssl.txt
Modified files:
openpkg-web/securitypage.pl
Log:
add first cut for OpenSSL SA
Summary:
RevisionChanges Path
1.1 +103 -0 openpkg-web/security/OpenPKG-SA-2003.026-openssl.txt
1.10+1 -1 openpkg-web/security/page.pl
patch -p0 '@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.026-openssl.txt
$ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.026-openssl.txt
--- /dev/null 2003-03-20 21:17:54.0 +0100
+++ OpenPKG-SA-2003.026-openssl.txt 2003-03-20 21:17:54.0 +0100
@@ -0,0 +1,103 @@
+
+
+OpenPKG Security AdvisoryThe OpenPKG Project
+http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED] [EMAIL PROTECTED]
+OpenPKG-SA-2003.026 20-Mar-2003
+
+
+Package: openssl
+Vulnerability: information leakage
+OpenPKG Specific:no
+
+Affected Releases: Affected Packages: Corrected Packages:
+OpenPKG CURRENT = openssl-0.9.7a-20030317 = openssl-0.9.7a-20030320
+OpenPKG 1.2 = openssl-0.9.7-1.2.2 = openssl-0.9.7-1.2.3
+OpenPKG 1.1 = openssl-0.9.6g-1.1.2= openssl-0.9.6g-1.1.3
+
+Affected Releases: Dependent Packages:
+
+OpenPKG CURRENT apache cadaver cpu curl dsniff easysoap ethereal
+ exim fetchmail imap imapd inn linc links lynx mico
+ mixmaster mozilla mutt nail neon openldap openvpn
+ perl-ssl postfix postgresql qpopper samba sendmail
+ siege sio sitecopy socat stunnel subversion sysmon
+ w3m wget
+
+OpenPKG 1.2 apache cpu curl ethereal fetchmail imap inn
+ links lynx mico mutt nail neon openldap perl-ssl
+ postfix postgresql qpopper samba sendmail siege
+ sitecopy socat stunnel sysmon w3m wget
+
+OpenPKG 1.1 apache curl fetchmail inn links lynx mutt neon
+ openldap perl-ssl postfix postgresql qpopper samba
+ siege sitecopy socat stunnel sysmon w3m
+
+Description:
+ According to an OpenSSL [0] security advisory [1], Czech cryptologists
+ Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an
+ extension of the Bleichenbacher attack on RSA with PKCS #1 v1.5
+ padding as used in SSL 3.0 and TLS 1.0. The attack was documented
+ in their report Attacking RSA-based Sessions in SSL/TLS [2]. The
+ Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0147 [3] to the problem.
+
+ Their attack requires the attacker to open millions of SSL/TLS
+ connections to the server under attack. The server's behaviour when
+ faced with specially made-up RSA ciphertexts can reveal information
+ that in effect allows the attacker to perform a single RSA private key
+ operation on a ciphertext of its choice using the server's RSA key.
+ Note that the server's RSA key is not compromised in this attack.
+
+ Please check whether you are affected by running prefix/bin/rpm -q
+ openssl. If you have the openssl package installed and its version
+ is affected (see above), we recommend that you immediately upgrade it
+ (see Solution) and it's dependent packages (see above), if any, too.
+ [4][5]
+
+Solution:
+ Select the updated source RPM appropriate for your OpenPKG release
+ [6][7], fetch it from the OpenPKG FTP service [8][9] or a mirror
+ location, verify its integrity [10], build a corresponding binary RPM
+ from it [4] and update your OpenPKG installation by applying the binary
+ RPM [5]. For the current release OpenPKG 1.2, perform the following
+ operations to permanently fix the security problem (for other releases
+ adjust accordingly).
+
+ $ ftp ftp.openpkg.org
+ ftp bin
+ ftp cd release/1.2/UPD
+ ftp get openssl-0.9.7-1.2.3.src.rpm
+ ftp bye
+ $ prefix/bin/rpm -v --checksig openssl-0.9.7-1.2.3.src.rpm
+ $ prefix/bin/rpm --rebuild openssl-0.9.7-1.2.3.src.rpm
+ $ su