 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.51398 |
| Category: | Conectiva Local Security Checks |
| Title: | Conectiva Security Advisory CLA-2003:570 |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing updates announced in advisory CLA-2003:570. OpenSSL[1] implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as full-strength general purpose cryptography functions. It's used (as a library) by several projects, like Apache, OpenSSH, Bind, OpenLDAP and many others clients and servers programs. In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. Vulnerable[2][3] openssl versions do not perform a MAC computation if an incorrect block cipher padding is used. An active attacker who can insert data into an existing encrypted connection is then able to measure time differences between the error messages the server sends. This information can make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext. The openssl packages provided with this update are patched against this vulnerability. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.securityspace.com/smysecure/catid.html?in=CLA-2003:570 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002003 Risk factor : Medium CVSS Score: 5.0 |
| Cross-Ref: |
BugTraq ID: 6884 Common Vulnerability Exposure (CVE) ID: CVE-2003-0078 http://www.securityfocus.com/bid/6884 Bugtraq: 20030219 OpenSSL 0.9.7a and 0.9.6i released (Google Search) http://marc.info/?l=bugtraq&m=104567627211904&w=2 Bugtraq: 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) (Google Search) http://marc.info/?l=bugtraq&m=104568426824439&w=2 Computer Incident Advisory Center Bulletin: N-051 http://www.ciac.org/ciac/bulletins/n-051.shtml Conectiva Linux advisory: CLSA-2003:570 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570 Debian Security Information: DSA-253 (Google Search) http://www.debian.org/security/2003/dsa-253 En Garde Linux Advisory: ESA-20030220-005 http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html FreeBSD Security Advisory: FreeBSD-SA-03:02 http://marc.info/?l=bugtraq&m=104577183206905&w=2 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020 NETBSD Security Advisory: NetBSD-SA2003-001 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc http://www.osvdb.org/3945 http://www.redhat.com/support/errata/RHSA-2003-062.html http://www.redhat.com/support/errata/RHSA-2003-063.html http://www.redhat.com/support/errata/RHSA-2003-082.html http://www.redhat.com/support/errata/RHSA-2003-104.html http://www.redhat.com/support/errata/RHSA-2003-205.html SGI Security Advisory: 20030501-01-I ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I SuSE Security Announcement: SuSE-SA:2003:011 (Google Search) http://www.trustix.org/errata/2003/0005 http://www.iss.net/security_center/static/11369.php |
| Copyright | Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |