Mandrake alert: Updated openssl packages fix RSA-related insecurities

Posted by dave on Mar 25, 2003 9:24 AM EDT
Mailing list
Mail this story
Print this story

Researchers discovered a timing-based attack on RSA keys that OpenSSL is generally vulnerable to, unless RSA blinding is enabled. Patches from the OpenSSL team have been applied to turn RSA blinding on by default.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           openssl
Advisory ID:            MDKSA-2003:035
Date:                   March 25th, 2003

Affected versions:	7.2, 8.0, 8.1, 8.2, 9.0, 9.1,
			Corporate Server 2.1,
			Multi Network Firewall 8.2,
			Single Network Firewall 7.2
________________________________________________________________________

Problem Description:

 Researchers discovered a timing-based attack on RSA keys that OpenSSL 
 is generally vulnerable to, unless RSA blinding is enabled.  Patches 
 from the OpenSSL team have been applied to turn RSA blinding on by 
 default.
 
 An extension of the "Bleichenbacher attack" on RSA with PKS #1 v1.5 
 padding as used in SSL 3.0 and TSL 1.0 was also created by Czech 
 cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa.  This 
 attack requires the attacker to open millions of SSL/TLS connections to 
 the server they are attacking.  This is done because the server's 
 behaviour when faced with specially crafted RSA ciphertexts can reveal 
 information that would in effect allow the attacker to perform a single 
 RSA private key operation on a ciphertext of their choice, using the 
 server's RSA key.  Despite this, the server's RSA key is not 
 compromised at any time.  Patches from the OpenSSL team modify SSL/TLS 
 server behaviour to avoid this vulnerability.
________________________________________________________________________

References:
  
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
  http://www.openssl.org/news/secadv_20030317.txt
  http://www.openssl.org/news/secadv_20030319.txt
  http://eprint.iacr.org/2003/052/
  http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
________________________________________________________________________

Updated Packages:
  
 Corporate Server 2.1:
 1f97f51fc7844e5f6802e3aa6ca74791  corporate/2.1/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 d040d1e5d74236246dc6e704bb2203f3  corporate/2.1/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 2f97c2eb1dfcc103ee9d9b7bc0da1ce6  corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 8ced8d0418a91356f5ca9cb0c92ed13c  corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  corporate/2.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Linux-Mandrake 7.2:
 2456e38a9b1cb8a7a417ce813722d359  7.2/RPMS/openssl-0.9.5a-9.5mdk.i586.rpm
 25570e4332467ed6b9b66f7b83b98a5f  7.2/RPMS/openssl-devel-0.9.5a-9.5mdk.i586.rpm
 b81d7f132522e14f3ff3c72084ff598d  7.2/SRPMS/openssl-0.9.5a-9.5mdk.src.rpm

 Mandrake Linux 8.0:
 81d9b10942d49d2f9ced14e3a71424fd  8.0/RPMS/openssl-0.9.6i-1.3mdk.i586.rpm
 606e4b4e4e3b616bed2010853e53d51d  8.0/RPMS/openssl-devel-0.9.6i-1.3mdk.i586.rpm
 3b74a6605f4432dbe0edde40aa3dcadb  8.0/SRPMS/openssl-0.9.6i-1.3mdk.src.rpm

 Mandrake Linux 8.0/PPC:
 cdcb83e78a92995f41abc3cb609a3c1a  ppc/8.0/RPMS/openssl-0.9.6i-1.3mdk.ppc.rpm
 4ab4f18f118d908b25582c448b36e8ef  ppc/8.0/RPMS/openssl-devel-0.9.6i-1.3mdk.ppc.rpm
 3b74a6605f4432dbe0edde40aa3dcadb  ppc/8.0/SRPMS/openssl-0.9.6i-1.3mdk.src.rpm

 Mandrake Linux 8.1:
 b2ec1909cd8d4b545f400dfdd8dd21b8  8.1/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 a5958222e4b56b28310b433a4cbf404c  8.1/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 f320b1015cf36d96e7112b422eaac247  8.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 0ac93e28e8ea7961271fb1347bce45c0  8.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  8.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Mandrake Linux 8.1/IA64:
 e5bf45db5e39cabb968f67714fed5dc7  ia64/8.1/RPMS/openssl-0.9.6i-1.4mdk.ia64.rpm
 c980bab7c8b6ca490b10320c0627b8c8  ia64/8.1/RPMS/libopenssl0-0.9.6i-1.4mdk.ia64.rpm
 7cc714df2377bf7e829e0b3c4beca86e  ia64/8.1/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.ia64.rpm
 132dafc5478b2d29ccbe00db9cdf4e23  ia64/8.1/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.ia64.rpm
 af0095b439927a91290dd7042ee5628b  ia64/8.1/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Mandrake Linux 8.2:
 dda78cd11a20595e53312afc653fac9f  8.2/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 4a7cd0178f82443f809cb38891582175  8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 74b935ecd6879032ac68b5b44ad5c561  8.2/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 98c8aea58c05af35f8332cb41bd270af  8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Mandrake Linux 8.2/PPC:
 2473c3a4fa6d6590ba1cc159db8ed340  ppc/8.2/RPMS/openssl-0.9.6i-1.4mdk.ppc.rpm
 d1305bcf73666db63baebed6804b8a6c  ppc/8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.ppc.rpm
 64f4c5e2c6208a391672a4402928200f  ppc/8.2/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.ppc.rpm
 54d6290be283a0c38e54158db6a97474  ppc/8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.ppc.rpm
 af0095b439927a91290dd7042ee5628b  ppc/8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Mandrake Linux 9.0:
 1f97f51fc7844e5f6802e3aa6ca74791  9.0/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 d040d1e5d74236246dc6e704bb2203f3  9.0/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 2f97c2eb1dfcc103ee9d9b7bc0da1ce6  9.0/RPMS/libopenssl0-devel-0.9.6i-1.4mdk.i586.rpm
 8ced8d0418a91356f5ca9cb0c92ed13c  9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  9.0/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Mandrake Linux 9.1:
 288774348383b48d7df2aab9a0880bca  9.1/RPMS/openssl-0.9.7a-1.1mdk.i586.rpm
 0c74aa06e11cebfd819f791bcc4273d5  9.1/RPMS/libopenssl0-0.9.6i-1.1mdk.i586.rpm
 2b55957ae61d7358f285c9c0367faaaa  9.1/RPMS/libopenssl0.9.7-0.9.7a-1.1mdk.i586.rpm
 21742fc79ee8127df48c2ac8e442dd9e  9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.1mdk.i586.rpm
 773588cdfb5e60f79bc9fba2c519e558  9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.1mdk.i586.rpm
 0b94e67c6e3e1bc3401a527094bc00de  9.1/SRPMS/openssl-0.9.7a-1.1mdk.src.rpm
 b95b94b3edb0c6a1a7c1e8d3d1f028fa  9.1/SRPMS/openssl0.9.6-0.9.6i-1.1mdk.src.rpm

 Mandrake Linux 9.1/PPC:
 00f6efe10d3d5b6a0190ccd5498c09e5  ppc/9.1/RPMS/openssl-0.9.7a-1.1mdk.ppc.rpm
 622128e23bbe2e34c90bd4ee27384621  ppc/9.1/RPMS/libopenssl0-0.9.6i-1.1mdk.ppc.rpm
 8398460586e2e2551db62d7206bdc9db  ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.1mdk.ppc.rpm
 ccc5f5eb95404a3f114dbe486d466350  ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.1mdk.ppc.rpm
 cfcfacd4af2fcd34afa32d9494e81277  ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.1mdk.ppc.rpm
 0b94e67c6e3e1bc3401a527094bc00de  ppc/9.1/SRPMS/openssl-0.9.7a-1.1mdk.src.rpm
 b95b94b3edb0c6a1a7c1e8d3d1f028fa  ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.1mdk.src.rpm

 Multi Network Firewall 8.2:
 dda78cd11a20595e53312afc653fac9f  mnf8.2/RPMS/openssl-0.9.6i-1.4mdk.i586.rpm
 4a7cd0178f82443f809cb38891582175  mnf8.2/RPMS/libopenssl0-0.9.6i-1.4mdk.i586.rpm
 af0095b439927a91290dd7042ee5628b  mnf8.2/SRPMS/openssl-0.9.6i-1.4mdk.src.rpm

 Single Network Firewall 7.2:
 2456e38a9b1cb8a7a417ce813722d359  snf7.2/RPMS/openssl-0.9.5a-9.5mdk.i586.rpm
 b81d7f132522e14f3ff3c72084ff598d  snf7.2/SRPMS/openssl-0.9.5a-9.5mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig <filename>

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA
BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H
8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K
+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j
b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+
AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E
OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ
9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR
xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z
269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN
6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ
jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ
EJGXlA==
=yGlX
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+gJ4xmqjQ0CJFipgRAvPzAKCR1bDWb8DyVDQlMPFhUUdQfivNGACeMBQ7
RKEJEXBQQRKgBuKRrrISLtQ=
=UEa1
-----END PGP SIGNATURE-----

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.