[PLDSA 52-1] New apache-mod_ssl packages fix timing-based attack
vulnerability
Krzysiek Taraszka
dzimi at pld.org.pl
Sat May 3 15:46:20 CEST 2003
- --------------------------------------------------------------------------
PLD Security Advisory PLDSA 52-1 security at pld.org.pl
http://www.pld.org.pl/security/ PLD Security Team
09 April 2003 http://www.pld.org.pl/security/faq
- --------------------------------------------------------------------------
Package : prior to apache-mod_ssl-2.8.12_1.3.27-1
Vulnerability : timing based attack
Problem-Type : remote
PLD-specific : no
CVE references : CAN-2003-0147
Upstream URL : www.openssl.org/news/secadv_20030317.txt
Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.
The above problems have been fixed in version 2.8.14_1.3.27-1 for the
current stable distribution (ra).
We recommend that you upgrade your apache-mod_ssl packages.
wget -c url
will fetch the file for you
rpm -Uhv file(s)*.rpm
will upgrade the referenced file.
If you are using "poldek" - the package manager, use the line as given below
for upgrade packages
poldek --update
will update the internal database
poldek --upgrade 'apache-mod_ssl*'
will install corrected packages
If you are using "apt" - the package manager, use the line as given below
for upgrade packages
apt-get update
will update the internal database
apt-get upgrade 'apache-mod_ssl*'
will install corrected packages
PLD Linux 1.0 alias ra
- --------------------
Source archives:
ftp://ftp.pld.org.pl/dists/ra/updates/security/SRPMS/apache-mod_ssl-2.8.14_1.3.27-1.src.rpm
MD5 checksum: 890ea3d363838b77b89ab0d8a238aae9
I386 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_ssl-2.8.14_1.3.27-1.i386.rpm
MD5 checksum: f1661d44657893cdc64234a5e20d00de
ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/apache-mod_sxnet-2.8.14_1.3.27-1.i386.rpm
MD5 checksum: 2f684d19f8f77d134d5abe27f9d88f81
I586 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_ssl-2.8.14_1.3.27-1.i586.rpm
MD5 checksum: b8f76ff708607e3dabc33791ebfb06fe
ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/apache-mod_sxnet-2.8.14_1.3.27-1.i586.rpm
MD5 checksum: 7845ab5095a815d09017573657c7a42b
I686 Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_ssl-2.8.14_1.3.27-1.i686.rpm
MD5 checksum: 7769155637db47f3391d993fad89afc2
ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/apache-mod_sxnet-2.8.14_1.3.27-1.i686.rpm
MD5 checksum: 1de87d32ec4ec8b5bd2e8233dcea7f92
PowerPC Architecture components:
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_ssl-2.8.14_1.3.27-1.ppc.rpm
MD5 checksum: e4bd94554409f7569ac61a977be2e47a
ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/apache-mod_sxnet-2.8.14_1.3.27-1.ppc.rpm
MD5 checksum: 0aefa00d9f33e5c9b0cd6ec1081115bc
-
--------------------------------------------------------------------------------
-
If you are using poldek add this line to poldek.conf.
If you are using apt-get add this line to sources.list.
For i386 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i386/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i386 base updates-security
For i586 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i586/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i586 base updates-security
For i686 architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/i686/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/i686 base updates-security
For ppc architecture
poldek: source = ra-updates-security ftp://ftp.pld.org.pl/dists/ra/updates/security/ppc/
apt-get: rpm ftp://ftp.pld.org.pl/dists ra/apt/ppc base updates-security
More information about the pld-security-announce
mailing list