[security/STBR] openssl
Michał J. Podyma
misiek w r-h.pl
Czw, 20 Mar 2003, 10:22:56 CET
helo!
czy ktos moze puscic na buildery openssl'a z RA-brancha
bug (CAN-2003-0131):
OpenSSL Security Advisory [19 March 2003]
Klima-Pokorny-Rosa attack on RSA in SSL/TLS
===========================================
Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on RSA
with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their
attack requires the attacker to open millions of SSL/TLS connections
to the server under attack; the server's behaviour when faced with
specially made-up RSA ciphertexts can reveal information that in
effect allows the attacker to perform a single RSA private key
operation on a ciphertext of its choice using the server's RSA key.
Note that the server's RSA key is not compromised in this attack.
This problem affects all applications using the OpenSSL SSL/TLS library.
OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed
patch modifies SSL/TLS server behaviour to avoid the vulnerability.
--
Michał J. Podyma <michalp w r-h.pl> <michalp w cna.us.edu.pl>
SySadmin @ R - H . PL [ http://f.com.pl ]
Więcej informacji o liście dyskusyjnej pld-devel-pl