patches available for Klima-Pokorny-Rosa attack on RSA in OpenSSL

Researchers have discovered an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding. The attack affects TLS 1.0 (aka SSL 3.0) but does *not* affect OpenSSH. Exploitation requires that an attacker open millions of TLS connections to the machine being attacked.

Users who run services utilizing TLS and RSA encryption should update their OpenSSL to the version now in OpenBSD-current and the 3.1 and 3.2 -stable branches or use one of the patches below.

Patch for OpenBSD 3.1:

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/025_kpr.patch

Patch for OpenBSD 3.2:

    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/012_kpr.patch

The OpenSSL advisory (from which the patches are derived) is:

    http://www.openssl.org/news/secadv_20030319.txt

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

The following paper describes the attack in detail:

    http://eprint.iacr.org/2003/052/ Received on Wed Mar 19 19:04:33 2003