[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSL Security Advisory [19 February 2003]

To: <misc@openbsd.org>
Subject: Re: OpenSSL Security Advisory [19 February 2003]
From: "STeve Andre'" <andres@msu.edu>
Date: Thu, 20 Feb 2003 16:43:51 -0500
Content-Disposition: inline
References: <NFEJKNPAGCJDHAMPAKELCEGAEDAA.mitja.muzenic@email.si>
User-Agent: KMail/1.5

On Thursday 20 February 2003 16:10, Mitja Muženič wrote:
> http://www.openssl.org/news/secadv_20030219.txt
>
> Seems they suggest to move up to latest OpenSSL since stuff made before Feb
> 19  (version 0.9.6i or OpenSSL 0.9.7a) might be vunerable.
>
> This is on my -stable box:
>
> mail# uname -srvm
> OpenBSD 3.2 GENERIC#0 i386
> mail# openssl version
> OpenSSL 0.9.7-beta3 30 Jul 2002
>
>
> A brief check in cvs shows that even -current has the same version. Any
> thoughts?
>
>
> Regards, Mitja

I believe that was comotted yesterday.  --STeve Andre'

(copy of CVS entry)
CVS: cvs.openbsd.org: src
From: Markus Friedl <markus@cvs.openbsd.org>
To: source-changes@cvs.openbsd.org

CVSROOT:        /cvs
Module name:    src
Changes by:     markus@cvs.openbsd.org  2003/02/19 13:37:46

Modified files:
        lib/libssl/src/ssl: s3_pkt.c 

Log message:
security fix from openssl 0.9.7a:

In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found.  This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)

References:
- OpenSSL Security Advisory [19 February 2003]
  - From: Mitja Muženič <mitja.muzenic@email.si>

Prev by Date: Re: MicroBSD and credit
Next by Date: Re: Reviewing "MicroBSD" 0.6 RC2
Prev by thread: OpenSSL Security Advisory [19 February 2003]
Next by thread: login_ldap security announcement
Index(es):
- Date
- Thread