Date: Sat, 22 Mar 2003 21:09:23 +0900 (JST) From: ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> To: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:06.openssl Message-ID: <20030322.210923.71081935.tsuyoshi@is.s.u-tokyo.ac.jp> In-Reply-To: <200303212052.h2LKqYWw013362@freefall.freebsd.org> References: <200303212052.h2LKqYWw013362@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Will the fix for the problem (2) be included in ports/security/openssl in 4.8-RELEASE? The ports tree has been tagged RELEASE_4_8_0 already, and the fix for the problem (2) is not yet included. If it is not, people should be careful not to overwrite OpenSSL in the base with the one in the port. > (2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa > have come up with an extension of the "Bleichenbacher attack" on > RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. > Their attack requires the attacker to open millions of SSL/TLS > connections to the server under attack; the server's behaviour > when faced with specially made-up RSA ciphertexts can reveal > information that in effect allows the attacker to perform a single > RSA private key operation on a ciphertext of its choice using the > server's RSA key. Note that the server's RSA key is not > compromised in this attack. Best regards, Tsuyoshi --- ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp> --- --- Dept. of Computer Science, University of Tokyo. --- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030322.210923.71081935.tsuyoshi>