OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 18-Mar-2003 16:29:51
Branch: HEAD Handle: 2003031815295100
Modified files:
openpkg-web/security OpenPKG-SA-2003.020-modssl.txt
Log:
final polishing and resigning
Summary:
Revision Changes Path
1.2 +11 -11 openpkg-web/security/OpenPKG-SA-2003.020-modssl.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.020-modssl.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.020-modssl.txt
--- openpkg-web/security/OpenPKG-SA-2003.020-modssl.txt 18 Mar 2003 15:26:15
-0000 1.1
+++ openpkg-web/security/OpenPKG-SA-2003.020-modssl.txt 18 Mar 2003 15:29:51
-0000 1.2
@@ -9,7 +9,7 @@
OpenPKG-SA-2003.020 18-Mar-2003
________________________________________________________________________
-Package: apache ("apache::with_mod_ssl = yes" only)
+Package: apache (option "with_mod_ssl" only)
Vulnerability: local and remote extraction of RSA private key
OpenPKG Specific: no
@@ -21,17 +21,17 @@
Dependent Packages: none
Description:
- David Brumley and Dan Boneh of Stanford University have researched
- and documented a timing attack on OpenSSL which allows local and
- remote attackers to extract the RSA private key of an SSL/TLS server
- like Apache/mod_ssl. [0] The OpenSSL [1] RSA implementation is
- generally vulnerable to these type of attacks unless RSA blinding has
- been turned on [2].
+ David Brumley and Dan Boneh of Stanford University have researched and
+ documented a timing attack on OpenSSL which allows local and remote
+ attackers to extract the RSA private key of an SSL/TLS server like
+ Apache/mod_ssl. [0] The OpenSSL [1] RSA implementation is generally
+ vulnerable to these type of attacks unless RSA blinding has been
+ turned on [2].
RSA blinding previously was not explicitly enabled by mod_ssl. If
Apache/mod_ssl is linked against the already fixed OpenSSL versions
(see security advisory OpenPKG-SA-2003.019 [3]), the problem is
- already implicity fixed inside OpenSSL. Nevertheless, mod_ssl 2.8.13
+ already implicitly fixed inside OpenSSL. Nevertheless, mod_ssl 2.8.13
now explicitly enables RSA blinding for RSA private keys. For older
versions, we include this prevention change in OpenPKG, too.
@@ -87,7 +87,7 @@
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <[EMAIL PROTECTED]>
-iD8DBQE+dzpvgHWT4GPEy58RAkgUAKC+xrvk5VySQi2XEtTLckv0w8HnvACfX9RM
-Jij5pwnd0KyHv41pzZQc8wc=
-=ZetT
+iD8DBQE+dztWgHWT4GPEy58RApBVAJ9+50Nlwfhuu7ORHF3aPwRWyMrOdACcCJjf
+Q+69FxYxCzvkPEwNeX+9sLU=
+=/TMJ
-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
