-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2003-10
http://www.turbolinux.co.jp/security/
security-team@turbolinux.co.jp
--------------------------------------------------------------------------
Original released date : 27 Feb 2003
Last revised : 27 Feb 2003
Package : openssl
Summry : Timing-based attacks on SSL/TLS with CBC encryption
More information :
Vulnerability is in error respnse processing "block cipher padding errors"
on openssl with CBC encryption.
An opportunity to decrypt may be able to be given to third party.
Impact :
The openssl of cipher may be decrypted by third party.
Affected Products :
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg tool to apply the update.
If you need to confirm the version of current installed
package, please issue rpm command as :
# rpm -qa | grep PACKAGE-NAME
<Turbolinux 8 Server>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
3087164 74153a366aa8cde6203ad0f6742060b7
openssh-3.4p1-15.src.rpm
887842 56598fa6057a78fb99364c1b7474f456
openssl-0.9.6i-1.src.rpm
2176784 462ffbdef10d2349296de76a5d908b9e
Binary Packages
Size : MD5
apache-1.3.27-10.i586.rpm
570972 57c64398fe15c7eb407bc26f34fb0330
apache-devel-1.3.27-10.i586.rpm
109121 080818948b9b6c17c3d1f907d7f83f29
apache-manual-1.3.27-10.i586.rpm
1088468 9edf25550ce8a6df6192646d1477a6a7
mod_ssl-2.8.12-10.i586.rpm
190395 ac01895e01e45b4f5b85d9fd2c3ea404
openssh-3.4p1-15.i586.rpm
200466 5030157ce99d33f8e49ca21463500c9e
openssh-askpass-3.4p1-15.i586.rpm
31486 62420b91d23bac5b1e30da784da8941c
openssh-askpass-gnome-3.4p1-15.i586.rpm
13104 8e71e6bfc2fa618dae1e00576e439e42
openssh-clients-3.4p1-15.i586.rpm
229188 51c539c1c1e851da9fd463608764c518
openssh-server-3.4p1-15.i586.rpm
246470 6fcf11b9b6ead94c8b05a6760a4b8290
openssl-0.9.6i-1.i586.rpm
1408692 09b315e7610ff61638a19d5725e719ae
openssl-devel-0.9.6i-1.i586.rpm
1229926 8956820a096d7d5293ee46915dfd164d
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
3087164 421655716f0cb9e3ec263e64f6444db8
openssh-3.4p1-15.src.rpm
887842 7b9c6891a479402d2dbe16408e9bd1a8
openssl-0.9.6i-1.src.rpm
2176784 bea89f18bf60174db9e6f9fbbd5cb029
Binary Packages
Size : MD5
apache-1.3.27-10.i586.rpm
570873 dabb1fbc20f0f41641992f26d93a7aca
apache-devel-1.3.27-10.i586.rpm
109113 67b2b42b8220f16669df5cebda435f47
apache-manual-1.3.27-10.i586.rpm
1088261 db7c9920656d095f3e6524f324836689
mod_ssl-2.8.12-10.i586.rpm
190418 0bc3b577252d2a9f99353a91ea6e815e
openssh-3.4p1-15.i586.rpm
200501 7aa054880b94415f038bb488859f627c
openssh-askpass-3.4p1-15.i586.rpm
13099 850dc9c6db5ef3f5ec727db34734f497
openssh-clients-3.4p1-15.i586.rpm
229229 bace222d774e497ff0b8a06033048c99
openssh-server-3.4p1-15.i586.rpm
246453 61585cd3b88cbb38e5ce15fb0a8f5dd6
openssl-0.9.6i-1.i586.rpm
1408687 6b637fc5b2a20cebefc2e6209d23dfea
openssl-devel-0.9.6i-1.i586.rpm
1229897 8f31d751070361ffb99f767138de11c5
<Turbolinux 7 Server>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
3087164 5c2659c3f7079af63126f4b9949a0cd8
openssh-3.4p1-15.src.rpm
887842 4813eebf4d8c5f562b7af637829e27de
openssl-0.9.6i-1.src.rpm
2176784 4e37e6300ae345b39f7cf620b640d3c4
Binary Packages
Size : MD5
apache-1.3.27-10.i586.rpm
570215 823a597ecee368c684e93384ac5943a6
apache-devel-1.3.27-10.i586.rpm
109059 4300ac086999175877e577a1c8c3d804
apache-manual-1.3.27-10.i586.rpm
1087368 b0e040b578993d85814ab04ec5ab7590
mod_ssl-2.8.12-10.i586.rpm
190345 2e7f81a5c8138f1cfd8b524e4eb67d98
openssh-3.4p1-15.i586.rpm
200473 93b691d46da1f3ad61ccbfb50e388810
openssh-askpass-3.4p1-15.i586.rpm
31477 378cfd08d9a0b5d28a1b90cceef8e917
openssh-clients-3.4p1-15.i586.rpm
229177 bb250c382f5ea0dc2bf41c3f8466da8a
openssh-server-3.4p1-15.i586.rpm
246438 f6dc10d2c690ffa909a5b983f3f9ae13
openssl-0.9.6i-1.i586.rpm
1408678 87ca6b67488eaee3c856f8bf560f6394
openssl-devel-0.9.6i-1.i586.rpm
1229835 dad9516f4bbfcdd37abb764be6ec2d88
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
3087164 a1fe5fd74029bbbc718eaa56c1d684f6
openssh-3.4p1-15.src.rpm
887842 3a619a37999506b9bc520add379fa5f2
openssl-0.9.6i-1.src.rpm
2176784 b68d90ed67f48c22746bff50c8113b83
Binary Packages
Size : MD5
apache-1.3.27-10.i586.rpm
484112 b9fecf506c08d43b73d18bce3dc27860
apache-devel-1.3.27-10.i586.rpm
93083 fb3a509ea2109e7849f90a79d68b9ba2
apache-manual-1.3.27-10.i586.rpm
849051 bdaa5614eb155b457341b61e860bc3f4
mod_ssl-2.8.12-10.i586.rpm
177113 aa01d5df572b30d9817fb621da8167ab
openssh-3.4p1-15.i586.rpm
179067 0b427d933fc3e45ea2ddf6a693522781
openssh-askpass-3.4p1-15.i586.rpm
31798 f27c1aca2c21e9ddfa2c8b8ebed6b8bb
openssh-clients-3.4p1-15.i586.rpm
199399 d3583f2e19254ad0105b78cf467b2f47
openssh-server-3.4p1-15.i586.rpm
213566 336748742b7e50b691c32cce544deaec
openssl-0.9.6i-1.i586.rpm
1286597 f70ddf46ca1051cdf3867156eb5c045c
openssl-devel-0.9.6i-1.i586.rpm
1098254 678adfd5f2963ef8ff3651339b2293fd
<Turbolinux Server 6.5>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
3087164 19443a6ee319f9477f782c9012d053e0
openssh-3.4p1-15.src.rpm
887842 93f8a9d6b1fcd4b6e46967289a36569b
openssl-0.9.6i-1.src.rpm
2176784 a8b015bf0d0e29e31510e7ce72a38448
Binary Packages
Size : MD5
apache-1.3.27-10.i386.rpm
497124 5908441ccb909ac0599999138d0ab87d
apache-devel-1.3.27-10.i386.rpm
92977 c16f915bff510c12d525b359f6655143
apache-manual-1.3.27-10.i386.rpm
849328 4de393d8cc2ed183943e66b09609af8b
mod_ssl-2.8.12-10.i386.rpm
179142 bcbf8816bece4df1b2b3ed071a79aa82
openssh-3.4p1-15.i386.rpm
182927 67209958edb96fffc3c37d3bae878d65
openssh-askpass-3.4p1-15.i386.rpm
32293 40292860860ea55f2b877c572f2f80b1
openssh-clients-3.4p1-15.i386.rpm
13424 ee4610c029b4dcb939fdb65354cdd00a
openssh-server-3.4p1-15.i386.rpm
205421 b2c608c3f7c118f3fe5a2e0039290d58
openssl-0.9.6i-1.i386.rpm
220035 caaa968d32e9ded7a913729b208eb6ba
openssl-devel-0.9.6i-1.i386.rpm
1315966 06fabf62e10c797edb5e2eaf0fe02bb0
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
1114478 b1bf419a61ec312dcecd0209d78a34cc
openssh-3.4p1-15.src.rpm
887842 03ca6ecc17ad46d657f0b7878cac3c0a
openssl-0.9.6i-1.src.rpm
2176784 60e783c3fd117426319b558257a6d65a
Binary Packages
Size : MD5
apache-1.3.27-10.i386.rpm
200504 451906ca9b87f8b0548935eb3df770be
apache-devel-1.3.27-10.i386.rpm
31490 a6f68937dd54e7864a2dfb3ed54ef70a
apache-manual-1.3.27-10.i386.rpm
13102 8cd22f4f240578c9112b4df6fe15af6f
mod_ssl-2.8.12-10.i386.rpm
229193 1077718ac3640857227cf6a599f116ba
openssh-3.4p1-15.i386.rpm
246423 0ecf52c87bbbeffb11ff6b4f439c0922
openssh-askpass-3.4p1-15.i386.rpm
1408712 d73ac95f456c3362bd3ec37e25ec6db1
openssh-askpass-gnome-3.4p1-15.i386.rpm
1229855 eeef10eb16ac93bcab0d4f36a94f2c41
openssh-clients-3.4p1-15.i386.rpm
3087164 433548deca187aa3f25d9555385304e2
openssh-server-3.4p1-15.i386.rpm
887842 9d1a11fcceb95cf5ecc985d74e1a03fc
openssl-0.9.6i-1.i386.rpm
2176784 178cd1336c386b7d4ea9bb99fa35b145
openssl-devel-0.9.6i-1.i386.rpm
484036 0397e61330219b46cd4f114abdd0c745
<Turbolinux Server 6.1>
Source Packages
Size : MD5
apache-1.3.27-10.src.rpm
93170 1c61f0d9082ae2d336773436ee3448a3
openssh-3.4p1-15.src.rpm
849179 9aad30adb9767eeaef2425ca9eb6bc62
openssl-0.9.6i-1.src.rpm
177571 ee5e48a520cf1692c280791f17023153
Binary Packages
Size : MD5
apache-1.3.27-10.i386.rpm
178998 2e68ae12148fab7f7554a4656a9d41ed
apache-devel-1.3.27-10.i386.rpm
31805 1420bce7617fe9581c82b717a7458c7d
apache-manual-1.3.27-10.i386.rpm
199385 222fed066dce43e8d785f972dd2f01e3
mod_ssl-2.8.12-10.i386.rpm
213621 9b8085bf3dabb39b1a2973ca85889c0d
openssh-3.4p1-15.i386.rpm
1286719 28b932def8dc99787d36a19110b19755
openssh-askpass-gnome-3.4p1-15.i386.rpm
1098779 9ca9ec086a59c72f32601f27f081de50
openssh-clients-3.4p1-15.i386.rpm
3087164 1d9601c13c5a83f1cad9f3ed803df5dd
openssh-server-3.4p1-15.i386.rpm
887842 11702a94d215c4fe1e1e0eae16c4b62d
openssl-0.9.6i-1.i386.rpm
2176784 a66c92f6d4bd699251f543fff2877d3e
openssl-devel-0.9.6i-1.i386.rpm
497054 39f4be45397c785f59d93c4a2fd969f6
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
openssh-3.4p1-15.src.rpm
92833 3082298cb64be44acf21a09d609ad787
openssl-0.9.6i-1.src.rpm
849393 c8ee45908c9dade50618403759aeb075
Binary Packages
Size : MD5
openssh-3.4p1-15.i386.rpm
178939 add3e09ace2b6bffc605b9af5eff32d9
openssh-askpass-3.4p1-15.i386.rpm
182965 fc3ceb4c54fbf11790142ac4c9257515
openssh-askpass-gnome-3.4p1-15.i386.rpm
32278 8ea1c2bb8e9110bcb76542596cf19a8a
openssh-clients-3.4p1-15.i386.rpm
205386 01fdb4a0bf1c70e1d4747eb9b1cbd1bb
openssh-server-3.4p1-15.i386.rpm
219963 6ae4a0a253cdbbee01b3db2fcedf3ddc
openssl-0.9.6i-1.i386.rpm
1317038 5cea39a957bd5f5b6f262cecf07abe0d
openssl-devel-0.9.6i-1.i386.rpm
1113796 602dc96ce1f85ce18ef47e46a7187f60
References :
OpenSSL Security Advisory
http://www.openssl.org/news/secadv_20030219.txt
CVE
[
CAN-2003-0078]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=
CAN-2003-0078
--------------------------------------------------------------------------
Revision History
27 Feb 2003 Initial release
--------------------------------------------------------------------------
Copyright(C) 2003 Turbolinux, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+XX5RK0LzjOqIJMwRAuY0AKC+GyEKRULQ1LLGowVE03/2i51vTQCggTVB
XJy/T3ycHirV3LV8S5Ufgzw=
=B4W7
-----END PGP SIGNATURE-----