Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

GLSA: stunnel (200303-24)

From: Daniel Ahlberg <aliz () gentoo org>
Date: Tue, 25 Mar 2003 18:55:16 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-24
- - ---------------------------------------------------------------------

          PACKAGE : stunnel
          SUMMARY : timing based attack
             DATE : 2003-03-25 17:55 UTC
          EXPLOIT : remote
VERSIONS AFFECTED : <3.22-r2 (unstable: <4.04)
    FIXED VERSION : >=3.22-r2 (unstable: >=4.04)
              CVE : CAN-2003-0147

- - ---------------------------------------------------------------------

- From advisory:

"Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on."

Read the full advisory at
http://www.openssl.org/news/secadv_20030317.txt

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-misc/stunnel upgrade to stunnel-3.22-r2 (unstable: stunnel-4.04) 
as follows:

emerge sync
emerge stunnel
emerge clean

- - ---------------------------------------------------------------------
aliz () gentoo org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+gJf+fT7nyhUpoZMRAhj+AKCmvPcPpDVzK3jV/mAIugKMYPlV/wCgxHhK
5RkR6hZvVdQGQjyr8lut6I0=
=NYot
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: