[vox] Updates for apps compiled against OpenSSL: mod_ssl, stunnel

ME vox@lists.lugod.org
Fri, 21 Mar 2003 14:25:43 -0800 (PST)


New versions of mod_ssl and stunnel have been released to deal with the
recently published OpenSSL timing attack. If you use either of these, you
may want to consult your vendor for updates.

(If you got the mod_ssl from March 18, a new one was released again on
March 20. Now up to 2.8.14-1.3.27)

-ME

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant



---------------------------- Original Message ----------------------------
Subject: Updates: OpenSSL, mod_ssl, stunnel
From:    "ME" <dugan@passwall.com>
Date:    Fri, March 21, 2003 2:13 pm
To:      unix@SONOMA.EDU
--------------------------------------------------------------------------
Hello,

A timing attack was found to permit exposure of a key used by openSSL to a
third party. Though the requirements for such an attack are not trivial,
it is considered a "know security risk".

New versions of mod_ssl, and stunnel have been released. The lates version
of OpenSSL (0.9.6i and 0.9.7a) are not exposed to this known risk.

Upgrades are suggested.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$)
P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+
PGP++ t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant