Re: [ADVISORY] Timing Attack on OpenSSL

2003-03-18 Thread Corinna Vinschen
Hi, is it recommended to apply the below patch to 0.9.6i as well? We're still releasing both versions, 0.9.6i and 0.9.7a in the Cygwin net distro. Corinna On Mon, Mar 17, 2003 at 08:47:01AM +, Ben Laurie wrote: I expect a release to follow shortly. --

Re: [ADVISORY] Timing Attack on OpenSSL

2003-03-18 Thread Ben Laurie
Corinna Vinschen wrote: Hi, is it recommended to apply the below patch to 0.9.6i as well? We're still releasing both versions, 0.9.6i and 0.9.7a in the Cygwin net distro. Yes. Corinna On Mon, Mar 17, 2003 at 08:47:01AM +, Ben Laurie wrote: I expect a release to follow shortly. --

Re: [ADVISORY] Timing Attack on OpenSSL

2003-03-17 Thread Christopher Fowler
Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. On Mon, 2003-03-17 at 03:47, Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he

Re: [ADVISORY] Timing Attack on OpenSSL

2003-03-17 Thread Jeffrey Altman
This is a different vulnerability. The one you patched two weeks ago was caused by a failure to decrypt messages when the MAC comparison failed. This vulnerability is a timing attack against the RSA algorithms. The Slashdot discussion is here:

[ADVISORY] Timing Attack on OpenSSL

2003-03-17 Thread Ben Laurie
I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability