pkgsrc/security/openssl/distinfo
seb c387ecacba * Add patch from http://www.openssl.org/news/secadv_20030317.txt:
Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.

The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

The performance impact of blinding appears to be small (a few
percent).

This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.

* Add patch from http://www.openssl.org/news/secadv_20030319.txt:

Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on RSA
with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.  Their
attack requires the attacker to open millions of SSL/TLS connections
to the server under attack; the server's behaviour when faced with
specially made-up RSA ciphertexts can reveal information that in
effect allows the attacker to perform a single RSA private key
operation on a ciphertext of its choice using the server's RSA key.
Note that the server's RSA key is not compromised in this attack.

* Bump PKGREVISION.
2003-03-21 18:40:48 +00:00

16 lines
914 B
Text

$NetBSD: distinfo,v 1.18 2003/03/21 18:40:49 seb Exp $
SHA1 (openssl-0.9.6g.tar.gz) = 5b3cdad1d33134c97f659a8ad5dbf4ca4cf3d9c8
Size (openssl-0.9.6g.tar.gz) = 2170570 bytes
SHA1 (openssl-0.9.6g-20020810-netbsd.patch.gz) = 37cf5db32ba045b8a23af71ea95ab2f90b886e46
Size (openssl-0.9.6g-20020810-netbsd.patch.gz) = 27608 bytes
SHA1 (patch-aa) = c4766edba4704374ae67d75c2f9454bc70782eea
SHA1 (patch-ab) = 9bdac032996bd97834b00cb661f79c00dc31bac1
SHA1 (patch-ac) = c4abbf586295810887d00b32db8c28bf064d8a9e
SHA1 (patch-ad) = ee8283d5537edce1bb60470c616ebabfda0aa084
SHA1 (patch-ae) = f4bf6ae5aa41b55d9978376e4e50ee10c10dd288
SHA1 (patch-af) = fd470396c5f54ea2d333df44504c03e7c6c8dc96
SHA1 (patch-ag) = d470c7da2cff7ba37ac38d6ceb79751a7d21d432
SHA1 (patch-ah) = f8a6522c5e00605c47e149f8c70878960257c65a
SHA1 (patch-ai) = 9d2e1dae0882450b7c10cdd2ea8156dced550c4a
SHA1 (patch-aj) = 8c71a29e8f2cbbe9c105f9bec27f4dc1835f5338