OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2003.019

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2003.019
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2003.019
Advisory Published:      2010-02-09 09:39 UTC

Issue Id (internal):     OpenPKG-SI-20030318.01
Issue First Created:     2003-03-18
Issue Last Modified:     2006-11-28
Issue Revision:          05


Subject Name:            OpenSSL
Subject Summary:         Cryptography and SSL/TLS Toolkit
Subject Home:            http://www.openssl.org/
Subject Versions:        * <= 0.9.7a

Vulnerability Id:        CVE-2003-0147
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           local system, remote network
Attack Impact:           exposure of sensitive information

Description:
    David Brumley and Dan Boneh of Stanford University have researched
    and documented a timing attack on OpenSSL which allows local and
    remote attackers to extract the RSA private key of a server. [0] The
    OpenSSL [1] RSA implementation is generally vulnerable to these type
    of attacks unless RSA blinding has been turned on [2].
    
    Typically, RSA blinding is not enabled by OpenSSL based applications,
    mainly because it is not obvious how to do so when using OpenSSL to
    provide SSL/TLS. This problem affects mostly all applications using
    OpenSSL and have to be rebuilded against the fixed OpenSSL version
    (where RSA blinding is now enabled by default) or have to enable RSA
    blinding explicitly their own.
    
    The performance impact of RSA blinding appears to be small (a few
    percent only) and the RSA functionality is still fully compatible.

References:
    [0] http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
    [1] http://www.openssl.org/
    [2] http://www.openssl.org/news/secadv_20030317.txt
    [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0147
    [4] http://www.openpkg.org/tutorial.html#regular-source
    [5] http://www.openpkg.org/tutorial.html#regular-binary
    [6] ftp://ftp.openpkg.org/release/1.1/UPD/openssl-0.9.6g-1.1.2.src.rpm
    [7] ftp://ftp.openpkg.org/release/1.2/UPD/openssl-0.9.7-1.2.2.src.rpm
    [8] ftp://ftp.openpkg.org/release/1.1/UPD/
    [9] ftp://ftp.openpkg.org/release/1.2/UPD/
    [10] http://www.openpkg.org/security.html#signature


Primary Package Name:    openssl
Primary Package Home:    http://openpkg.org/go/package/openssl

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Community        1.1-SOLID         openssl-0.9.6g-1.1.1
OpenPKG Community        1.2-SOLID         openssl-0.9.7-1.2.1
OpenPKG Community        CURRENT           openssl-0.9.7a-20030219

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Community        1.1-SOLID         openssl-0.9.6g-1.1.2
OpenPKG Community        1.2-SOLID         openssl-0.9.7-1.2.2
OpenPKG Community        CURRENT           openssl-0.9.7a-20030317

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG