Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
From: Raymond Wood <raywood@magma.ca>
Date: Mon, 24 Feb 2003 19:41:20 -0500
Message-id: <[🔎] 20030225004120.GC11307@magma.ca>
In-reply-to: <m18nJ9z-000ogPC@finlandia.Infodrom.North.DE>
References: <m18nJ9z-000ogPC@finlandia.Infodrom.North.DE>

On Mon, Feb 24, 2003 at 03:00:47PM +0100, Martin Schulze imagined:
> --------------------------------------------------------------------------
> Debian Security Advisory DSA 253-1                     security@debian.org
> http://www.debian.org/security/                             Martin Schulze
> February 24th, 2003                     http://www.debian.org/security/faq
> --------------------------------------------------------------------------
> 
> Package        : openssl
> Vulnerability  : information leak
> Problem-Type   : remote
> Debian-specific: no
> CVE Id         : CAN-2003-0078
> 
> A vulnerability has been discovered in OpenSSL, a Secure Socket Layer
> (SSL) implementation.  In an upcoming paper, Brice Canvel (EPFL),
> Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL,
> Ilion) describe and demonstrate a timing-based attack on CBC cipher
> suites used in SSL and TLS.  OpenSSL has been found to vulnerable to
> this attack.
> 
> For the stable distribution (woody) this problem has been
> fixed in version 0.9.6c-2.woody.2.
> 
> For the old stable distribution (potato) this problem has been fixed
> in version 0.9.6c-0.potato.5.  Please note that this updates the
> version from potato-proposed-updates that superseds the version in
> potato.
> 
> For the unstable distribution (sid) this problem has been fixed in
> version 0.9.7a-1.
> 
> We recommend that you upgrade your openssl packages.
[snip]

On sid/unstable, I have installed all the recommended patches,
including installing libssl0.9.7 (version 0.9.7a-1).

I notice, however, that the old version i.e.
  ii  libssl0.9.6      0.9.6i-1         SSL shared libraries (old version)
is still installed.  Furthermore there are a large number of
installed software packages that show dependencies on the old
version of libssl.

Am I (potentially) vulnerable by virtue of have the old version
above still installed on my system?

Cheers,
Raymond
-- 
"You deserve to be able to cooperate openly and freely with other
people who use software.  You deserve free software."
 -Richard M. Stallman, Free Software Foundation, http://www.fsf.org

Attachment: pgppH6cZ8BS0N.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Sarge freeze and security updates
Next by Date: Apache Virtual Hosts Chroot ?
Previous by thread: RE: VPN performance with tunnelv
Next by thread: Re: [SECURITY] [DSA 253-1] New OpenSSL packages fix timing-based attack vulnerability
Index(es):
- Date
- Thread