Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Mar 2003 21:09:23 +0900 (JST)
From:      ITO Tsuyoshi <tsuyoshi@is.s.u-tokyo.ac.jp>
To:        freebsd-security@FreeBSD.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-03:06.openssl
Message-ID:  <20030322.210923.71081935.tsuyoshi@is.s.u-tokyo.ac.jp>
In-Reply-To: <200303212052.h2LKqYWw013362@freefall.freebsd.org>
References:  <200303212052.h2LKqYWw013362@freefall.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello,

Will the fix for the problem (2) be included in ports/security/openssl
in 4.8-RELEASE?  The ports tree has been tagged RELEASE_4_8_0 already,
and the fix for the problem (2) is not yet included.  If it is not,
people should be careful not to overwrite OpenSSL in the base with the
one in the port.

> (2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
>     have come up with an extension of the "Bleichenbacher attack" on
>     RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.
>     Their attack requires the attacker to open millions of SSL/TLS
>     connections to the server under attack; the server's behaviour
>     when faced with specially made-up RSA ciphertexts can reveal
>     information that in effect allows the attacker to perform a single
>     RSA private key operation on a ciphertext of its choice using the
>     server's RSA key.  Note that the server's RSA key is not
>     compromised in this attack.

Best regards,
Tsuyoshi

---   ITO Tsuyoshi  <tsuyoshi@is.s.u-tokyo.ac.jp>   ---
--- Dept. of Computer Science, University of Tokyo. ---

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030322.210923.71081935.tsuyoshi>