linux, säkerhet

96685 2003-03-24  20:47  /189 rader/  <security@sco.com>
Importerad: 2003-03-24  20:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Externa svar till: please_reply_to_security@sco.com
Mottagare: Bugtraq (import) <4138>
Ärende: Security Update: [CSSA-2003-014.0] Linux: several recently discovered openssl vulnerabilities
------------------------------------------------------------
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com


______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: several recently discovered openssl vulnerabilities
Advisory number: 	CSSA-2003-014.0
Issue date: 		2003 March 21
Cross reference:
______________________________________________________________________________


1. Problem Description

	Dan Boneh and David Brumley have successfully implemented an
	RSA timing attack against openssl. This updated version
	guards against this attack. In an upcoming paper, Brice
	Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL),
	and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a
	timing-based attack on CBC ciphersuites in SSL and TLS.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to openssl-0.9.6-21.i386.rpm
					prior to openssl-devel-0.9.6-21.i386.rpm
					prior to openssl-devel-static-0.9.6-21.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to openssl-0.9.6-21.i386.rpm
					prior to openssl-devel-0.9.6-21.i386.rpm
					prior to openssl-devel-static-0.9.6-21.i386.rpm

	OpenLinux 3.1 Server		prior to openssl-0.9.6-21.i386.rpm
					prior to openssl-devel-0.9.6-21.i386.rpm
					prior to openssl-devel-static-0.9.6-21.i386.rpm

	OpenLinux 3.1 Workstation	prior to openssl-0.9.6-21.i386.rpm
					prior to openssl-devel-0.9.6-21.i386.rpm
					prior to openssl-devel-static-0.9.6-21.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater,
	called cupdate (or kcupdate under the KDE environment), to
	update these packages rather than downloading and installing
	them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/RPMS

	4.2 Packages

	cae226f7eb06d23837e4f253c024cc77
	openssl-0.9.6-21.i386.rpm
	d80641bcdfc10fe4ada399fb17efe7fe
	openssl-devel-0.9.6-21.i386.rpm
	0469172a21992665bc7b71f9c59d9139
	openssl-devel-static-0.9.6-21.i386.rpm

	4.3 Installation

	rpm -Fvh openssl-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-014.0/SRPMS

	4.5 Source Packages

	d22d7c13968ba752f8907c009bafdcdd
openssl-0.9.6-21.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/RPMS

	5.2 Packages

	83d5c8c6a3c02d5b7a4efd81fdb81327
	openssl-0.9.6-21.i386.rpm
	f8d72833634db5b626e4545ae9eea2b7
	openssl-devel-0.9.6-21.i386.rpm
	ebba78193c80631b38df0fdd21ce996a
	openssl-devel-static-0.9.6-21.i386.rpm

	5.3 Installation

	rpm -Fvh openssl-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-014.0/SRPMS

	5.5 Source Packages

	429d59854d06b6028b0e8b0006fee9c2
openssl-0.9.6-21.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/RPMS

	6.2 Packages

	ceaa6676fce906d6b047111c9498e30e
	openssl-0.9.6-21.i386.rpm
	3df76d418a9597160366b87931a03e15
	openssl-devel-0.9.6-21.i386.rpm
	5ec798cfc52cf738f162bbe3399b143d
	openssl-devel-static-0.9.6-21.i386.rpm

	6.3 Installation

	rpm -Fvh openssl-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-014.0/SRPMS

	6.5 Source Packages

	b769a799583f9f132bfd6dd41397cbe8
openssl-0.9.6-21.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/RPMS

	7.2 Packages

	ce4782d57da7146f0351c443d3919a4a
	openssl-0.9.6-21.i386.rpm
	1e979a4a13c91593130d521f3aa7da24
	openssl-devel-0.9.6-21.i386.rpm
	fcf784370792245c1ec0423322482561
	openssl-devel-static-0.9.6-21.i386.rpm

	7.3 Installation

	rpm -Fvh openssl-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-0.9.6-21.i386.rpm
	rpm -Fvh openssl-devel-static-0.9.6-21.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-014.0/SRPMS

	7.5 Source Packages

	9cab4a8e60af1089f35893c758d00ebc
openssl-0.9.6-21.src.rpm


8. References

	Specific references for this advisory:

		http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
		http://www.openssl.org/news/secadv_20030219.txt
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0147

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875560, fz527505,
	erg712255.


9. Disclaimer

	SCO is not responsible for the misuse of any of the
	information we provide on this website and/or through our
	security advisories. Our advisories are a service to our
	customers intended to promote secure installation and use of
	SCO products.

______________________________________________________________________________
(96685) / <security@sco.com>/-------------(Ombruten)
Bilaga (application/pgp-signature) i text 96686
96686 2003-03-24  20:47  /9 rader/  <security@sco.com>
Importerad: 2003-03-24  20:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Externa svar till: please_reply_to_security@sco.com
Mottagare: Bugtraq (import) <4139>
Bilaga (text/plain) till text 96685
Ärende: Bilaga till: Security Update: [CSSA-2003-014.0] Linux: several recently discovered openssl vulnerabilities
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj57nxEACgkQbluZssSXDTH+iACffOmFXwukxDAHGRP1lGH/HhtC
0ScAn0Pu5i305LcAJ1/bN0KQDwNfUxbn
=Qkjn
-----END PGP SIGNATURE-----
(96686) / <security@sco.com>/-----------------------