 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.54115 |
| Category: | SuSE Local Security Checks |
| Title: | SuSE Security Advisory SUSE-SA:2003:011 (openssl) |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing updates announced in advisory SUSE-SA:2003:011. OpenSSL is an implementation of the Secure Sockets Layer and Transport Layer Security protocols and provides strong cryptography for many applications in a Linux system. It is a default package in all SuSE products. A security weakness has been found, known as Vaudenay timing attack on CBC, named after one of the discoverers (Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)). The weakness may allow an attacker to obtain a plaintext data block by observing timing differences in response to two different error cases (cipher padding errors vs. MAC verification errors). In order to exploit this vulnerability, the attacker has to meet certain requirements: The network connection between client and server must be of high quality to be able to observe timing differences, the attacker must be able to perform a man-in-the-middle attack, the transactions must repeatedly contain the same (encrypted) plain text block (such as a pop password or alike), and decoding failures in the SSL layer must not be propagated to the application that is using the SSL connection. Solution: Update your system with the packages as indicated in the referenced security advisory. https://secure1.securityspace.com/smysecure/catid.html?in=SUSE-SA:2003:011 Risk factor : Medium CVSS Score: 5.0 |
| Cross-Ref: |
BugTraq ID: 6884 Common Vulnerability Exposure (CVE) ID: CVE-2003-0078 http://www.securityfocus.com/bid/6884 Bugtraq: 20030219 OpenSSL 0.9.7a and 0.9.6i released (Google Search) http://marc.info/?l=bugtraq&m=104567627211904&w=2 Bugtraq: 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) (Google Search) http://marc.info/?l=bugtraq&m=104568426824439&w=2 Computer Incident Advisory Center Bulletin: N-051 http://www.ciac.org/ciac/bulletins/n-051.shtml Conectiva Linux advisory: CLSA-2003:570 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570 Debian Security Information: DSA-253 (Google Search) http://www.debian.org/security/2003/dsa-253 En Garde Linux Advisory: ESA-20030220-005 http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html FreeBSD Security Advisory: FreeBSD-SA-03:02 http://marc.info/?l=bugtraq&m=104577183206905&w=2 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020 NETBSD Security Advisory: NetBSD-SA2003-001 ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc http://www.osvdb.org/3945 http://www.redhat.com/support/errata/RHSA-2003-062.html http://www.redhat.com/support/errata/RHSA-2003-063.html http://www.redhat.com/support/errata/RHSA-2003-082.html http://www.redhat.com/support/errata/RHSA-2003-104.html http://www.redhat.com/support/errata/RHSA-2003-205.html SGI Security Advisory: 20030501-01-I ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I SuSE Security Announcement: SuSE-SA:2003:011 (Google Search) http://www.trustix.org/errata/2003/0005 http://www.iss.net/security_center/static/11369.php |
| Copyright | Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com |
| This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |