l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Mar 14 13:40

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] [Fwd: Vulnerability in OpenSSL]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] [Fwd: Vulnerability in OpenSSL]

On Fri, Mar 14, 2003 at 10:58:59AM -0800, ME wrote:
> An item that may have implications for other packages that compile against
> OpenSSL that include mod_ssl, openssh, and if you specified it in a bind
> install (or your package was so configured) BIND too.
> If this attack is addressed, then expect many new packages and package
> upgrades for your boxes from your Linux vendor for several packages
> related to encryption.

  There area patched ssl that went into Debian Feb 21... which fixes
timing-based attacks.

openssl (0.9.6c-2.woody.2) stable-security; urgency=high

  * Non-maintainer upload by the Security Team
  * Applied patch to fix vulnerability to timing-based attacks
    (see CAN-2003-0078)
  * Applied preventative measure patch by Richard Levitte

 -- Martin Schulze <joey@infodrom.org>  Fri, 21 Feb 2003 16:34:17 +0100

  The people given credit for the paper leading to the patch are not 
the people in your report... 

A vulnerability has been discovered in OpenSSL, a Secure Socket Layer
(SSL) implementation.  In an upcoming paper, Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL,
Ilion) describe and demonstrate a timing-based attack on CBC cipher
suites used in SSL and TLS.  OpenSSL has been found to vulnerable to
this attack.

  David Brumley, doesn't report which version of ssl he was using in
his tests... so it's hard to tell if these two things are the same
issue or not.

- is there any indication on your list if this problem has already
  been fixed?

> -------- Original Message --------
> Subject: Vulnerability in OpenSSL
> From: David Brumley <dbrumley@stanford.edu>
> Date: Thu, March 13, 2003 3:59 pm
> To: bugtraq@securityfocus.com
> Dan Boneh and I have been researching timing attacks against software
> To our knowledge, OpenSSL and derived crypto libraries are vulnerable.
> The results indicate that all crypto implementations should defend
> against timing attacks.
> http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
> -David Brumley
vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.