• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

mod_ssl
200303-23
Published: 2003-03-25 10:50:51
Updated: 2003-03-25 10:50:51

- - --------------------------------------------------------------------- 
GENTOO LINUX SECURITY ANNOUNCEMENT 200303-23 
- - --------------------------------------------------------------------- 

PACKAGE : mod_ssl 
SUMMARY : timing based attack 
DATE : 2003-03-25 10:14 UTC 
EXPLOIT : remote 
VERSIONS AFFECTED : <2.8.14 
FIXED VERSION : >=2.8.14 
CVE : CAN-2003-0147 

- - --------------------------------------------------------------------- 

- From advisory: 

"Researchers have discovered a timing attack on RSA keys, to which 
OpenSSL is generally vulnerable, unless RSA blinding has been turned 
on." 

Read the full advisory at 
http://www.openssl.org/news/secadv_20030317.txt 

SOLUTION 

It is recommended that all Gentoo Linux users who are running 
net-www/mod_ssl upgrade to mod_ssl-2.8.14 as follows: 

emerge sync 
emerge mod_ssl 
emerge clean 

- - --------------------------------------------------------------------- 
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz 
- - ---------------------------------------------------------------------