[NBLUG/talk] [Fwd: Vulnerability in OpenSSL]

Kyle Rankin greenfly at greenfly.net
Fri Mar 14 11:47:00 PST 2003


On Fri, Mar 14, 2003 at 10:58:59AM -0800, ME wrote:
> An item that may have implications for other packages that compile against
> OpenSSL that include mod_ssl, openssh, and if you specified it in a bind
> install (or your package was so configured) BIND too.
... 
> -------- Original Message --------
> Subject: Vulnerability in OpenSSL
> From: David Brumley <dbrumley at stanford.edu>
> Date: Thu, March 13, 2003 3:59 pm
> To: bugtraq at securityfocus.com
> 
> Dan Boneh and I have been researching timing attacks against software
> crypto libraries.  Timing attacks are usually used to attack weak
> computing devices such as smartcards.  We've successfully developed and
> mounted timing attacks against software crypto libraries running on
> general purpose PC's.
...

An addendum to this.  I would recommend that any LUGers who haven't done so
yet, subscribe to the bugtraq mailing list or something like it (perhaps the
security mailing list for your distribution of choice), or at least monitor
some security vulnerability webpages (/. doesn't count) for vulnerabilities 
such as the above.  

These are the places that vulnerabilities get posted first, and there are even
linux-specific talk groups in many of them.  If you are running public
services, one could even argue it's somewhat irresponsible to not be checking
these sorts of things (ie, if you heard it first through this list or slashdot,
you might have found out about it too late).

-- 
Kyle Rankin (greenfly)
http://greenfly.org



More information about the talk mailing list