Linux Today: Linux News On Internet Time.

More on LinuxToday

Conectiva Linux Advisory: openssl

Feb 25, 2003, 13:59 (0 Talkback[s])

- --------------------------------------------------------------------------
- --------------------------------------------------------------------------

PACKAGE   : openssl
SUMMARY   : Information leak in encrypted connections
DATE      : 2003-02-24 19:25:00
ID        : CLA-2003:570
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

 OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and
 Transport Layer Security (TLS v1) protocols as well as full-strength
 general purpose cryptography functions. It's used (as a library) by
 several projects, like Apache, OpenSSH, Bind, OpenLDAP and many
 others clients and servers programs.
 In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
 Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
 demonstrate a timing-based attack on CBC ciphersuites in SSL and
 Vulnerable[2][3] openssl versions do not perform a MAC computation if
 an incorrect block cipher padding is used. An active attacker who can
 insert data into an existing encrypted connection is then able to
 measure time differences between the error messages the server sends.
 This information can make it easier to launch cryptographic attacks
 that rely on distinguishing between padding and MAC verification
 errors, possibly leading to extraction of the original plaintext.
 The openssl packages provided with this update are patched against
 this vulnerability.

 It is recommended that all users upgrade their openssl packages.
 Please note that it is necessary to restart services which use the
 library (such as the apache web server with SSL enabled) so that the
 new, fixed, version is used. A list of such applications can be
 obtained after the upgrade with the following command:
 lsof | grep libssl
 The first column will contain the name of the application that needs
 to be restarted. If there is any doubt about which application has to
 be restarted or how to do it, we recommend that the system be


 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at