-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2003.0120 -- Debian Security Advisory DSA 253-1
        New OpenSSL packages fix timing-based attack vulnerability
                             25 February 2003

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                openssl
Vendor:                 Debian
Operating System:       Debian GNU/Linux 2.2
                        Debian GNU/Linux 3.0
                        Linux
                        UNIX
Impact:                 Access Confidential Data
                        Reduced Security
Access Required:        Remote

Ref:                    ESB-2003.0111
                        ESB-2003.0118

Comment: CVE Id: CAN-2003-0078

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 253-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
February 24th, 2003                     http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : openssl
Vulnerability  : information leak
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2003-0078

A vulnerability has been discovered in OpenSSL, a Secure Socket Layer
(SSL) implementation.  In an upcoming paper, Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL,
Ilion) describe and demonstrate a timing-based attack on CBC cipher
suites used in SSL and TLS.  OpenSSL has been found to vulnerable to
this attack.

For the stable distribution (woody) this problem has been
fixed in version 0.9.6c-2.woody.2.

For the old stable distribution (potato) this problem has been fixed
in version 0.9.6c-0.potato.5.  Please note that this updates the
version from potato-proposed-updates that superseds the version in
potato.

For the unstable distribution (sid) this problem has been fixed in
version 0.9.7a-1.

We recommend that you upgrade your openssl packages.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 alias potato
- - ---------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5.dsc
      Size/MD5 checksum:      634 a4b14f05a0eeff8573519287c23b1b1e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5.diff.gz
      Size/MD5 checksum:    42879 9345bdacc7f296d81762d786348e8dfd
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc

  Architecture independent components:

    http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-0.potato.5_all.deb
      Size/MD5 checksum:      980 1f1b9b4ae27c1d6cac23d0715d730521

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_alpha.deb
      Size/MD5 checksum:  1550748 f41914ab3a49636fd8513f085b8d8d07
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_alpha.deb
      Size/MD5 checksum:   591238 132ad76defee30d09333896ca75cb90d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_alpha.deb
      Size/MD5 checksum:   746694 d2a4637ac612a543e8c1e74aabbf4c60

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_arm.deb
      Size/MD5 checksum:  1349612 c49ce68da5e42b0e9fdc77e931d9a809
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_arm.deb
      Size/MD5 checksum:   469878 1bf2a3485e8d787d0e879b181cc93a5d
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_arm.deb
      Size/MD5 checksum:   730052 d01dbf4b1eb9fcec88f0c167e3c9c5c2

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_i386.deb
      Size/MD5 checksum:  1288324 5dcf752ef1f92c96740b14fbb38c3e9f
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_i386.deb
      Size/MD5 checksum:   463876 e387781c3aaada9be43d0859ea8acc69
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_i386.deb
      Size/MD5 checksum:   724680 23d423b4f5c790fde8381859e5c13e63

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_m68k.deb
      Size/MD5 checksum:  1263364 6c450e56f29d665062db9b1057f9b5ed
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_m68k.deb
      Size/MD5 checksum:   451096 a4b7abbae2630643e9530c5d9301668c
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_m68k.deb
      Size/MD5 checksum:   721532 a89c6146d949c6574c7c9d35adf25dcc

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_powerpc.deb
      Size/MD5 checksum:  1385246 a0a8c6448562365168e018cfa2c954be
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_powerpc.deb
      Size/MD5 checksum:   504092 45b8145a959159abc1cd0e7b4482eacf
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_powerpc.deb
      Size/MD5 checksum:   727212 7917210b1a745362cb6c5536958a8900

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-0.potato.5_sparc.deb
      Size/MD5 checksum:  1343538 e53f2961887626f42190c361c2756717
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-0.potato.5_sparc.deb
      Size/MD5 checksum:   484046 86c0c973656f3dfb45168e810893dffe
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-0.potato.5_sparc.deb
      Size/MD5 checksum:   738670 9c9fa2bfe3fc2b3c75ab8b696913827c


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2.dsc
      Size/MD5 checksum:      632 2e3f3f753fd814e80963f9e9041e663a
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2.diff.gz
      Size/MD5 checksum:    42781 90dd405b7c6ed2785b8bf70ee25b10ad
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz
      Size/MD5 checksum:  2153980 c8261d93317635d56df55650c6aeb3dc

  Architecture independent components:

    http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.2_all.deb
      Size/MD5 checksum:      980 bc8731133ad3d0583d9616c189f4ff9a

  Alpha architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_alpha.deb
      Size/MD5 checksum:  1550956 5a18164f15eb8c85c4de0ef3f7575f92
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_alpha.deb
      Size/MD5 checksum:   570820 99723cf60d3dd730a6b0b9eadf41c543
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_alpha.deb
      Size/MD5 checksum:   735894 e60a359430768f5f16b0b4780145da52

  ARM architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_arm.deb
      Size/MD5 checksum:  1357762 2d94ff53a1cfb35dfbf7f54d46ff7e71
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_arm.deb
      Size/MD5 checksum:   473688 dad4b0ae86406ec6fbf8549a918ff3d3
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_arm.deb
      Size/MD5 checksum:   729432 e896e368c4a56626fad6e84f120b939d

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_i386.deb
      Size/MD5 checksum:  1290600 13d8486403c1d7633bc5369e2962ab49
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_i386.deb
      Size/MD5 checksum:   461450 9697d0445e1b2fa2aa8c424dfb3ffef7
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_i386.deb
      Size/MD5 checksum:   722924 8af019bb8fc566504db03d88f75b782a

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_ia64.deb
      Size/MD5 checksum:  1615030 63a47deb297fa5767bfc100b7be5ebdf
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_ia64.deb
      Size/MD5 checksum:   710552 0e9f01c9edb64afde9c0ef576855e219
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_ia64.deb
      Size/MD5 checksum:   763254 cb5642c601871a19734ee828cbdb0c70

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_hppa.deb
      Size/MD5 checksum:  1434594 e8250f1ebc89a5730c4eb01ec21d7047
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_hppa.deb
      Size/MD5 checksum:   564510 da9ef6952adc717ef43c98f730e4ca2e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_hppa.deb
      Size/MD5 checksum:   741588 673de887b200e0b137a552287f54878e

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_m68k.deb
      Size/MD5 checksum:  1266234 676d23151c30aacedc164870591f31fd
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_m68k.deb
      Size/MD5 checksum:   450396 6e741cc696e2c30472903b82989a2905
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_m68k.deb
      Size/MD5 checksum:   720056 bc58501b1c5ac4b5d495cb201e1a1241

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_mips.deb
      Size/MD5 checksum:  1415768 603ca2613d9ce29fa92f91a303c85343
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_mips.deb
      Size/MD5 checksum:   483198 333fb870c69573cfb10dbe616cae5eea
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_mips.deb
      Size/MD5 checksum:   717484 fff4e26c62eee373acd4a70066321d97

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_mipsel.deb
      Size/MD5 checksum:  1409734 52b7b2f2e8c67c5187c776eeacce5b36
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_mipsel.deb
      Size/MD5 checksum:   476196 90330c63a83b18ed41e6b82e7fe5b423
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_mipsel.deb
      Size/MD5 checksum:   716782 2520320fd05458141d14db1987568913

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_powerpc.deb
      Size/MD5 checksum:  1386494 9d7411be707a5f214d3412a4ad3d52d1
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_powerpc.deb
      Size/MD5 checksum:   502044 0dc022e38945cd9a8604a6221ff1bf7e
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_powerpc.deb
      Size/MD5 checksum:   726360 39833a2657c8fda5220e69f857823477

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_s390.deb
      Size/MD5 checksum:  1326184 6b27fac4b413dc8a44d205eaecee6fee
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_s390.deb
      Size/MD5 checksum:   510226 3b24de2bbb37f004b353a6c93681c3b9
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_s390.deb
      Size/MD5 checksum:   731338 60df2b2058c2c50148f573c13f3b5eba

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.2_sparc.deb
      Size/MD5 checksum:  1344220 a45dd3af74b4be0d88e51a64cc21dcc5
    http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.2_sparc.deb
      Size/MD5 checksum:   484396 48e9992f60a25c950b2fa246ea842c55
    http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.2_sparc.deb
      Size/MD5 checksum:   736964 78bb31495bea3a8fa88e507f7066e1b5


  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+WiWPW5ql+IAeqTIRAqRZAJ0RH8/rXFSm5IajSvKheFLZM3npDwCfS4Jt
Qln4lv6tBLqXlSvjgEGOwe0=
=uZvL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPluZkyh9+71yA2DNAQEFowP+LHlbpIes5syxWA7hBvQp3wNOJ5XN18lq
5NYHj9+jT8iQwwj9/gvrOoZU+xrTyYBOvAWIYHiZ5l3RgQMy2elTPn0cPR7o7Ojo
bJ7b5qnBfZ1dCT1Wrr3PGxIauPni0cIy7eHDWLMCYP5xqgUxIHU1xzl4lrVr6cEG
ARJqezwdlVU=
=uVGi
-----END PGP SIGNATURE-----