Fw: OpenSSL 0.9.7a and 0.9.6i released

Niki Guldbrand nikig at vip.cybercity.dk
Thu Feb 20 10:28:38 GMT 2003 


Begin forwarded message:

Date: Wed, 19 Feb 2003 15:40:36 +0100 (CET)
From: Jonas Eriksson <je at sekure.net>
To: bugtraq at securityfocus.com
Subject: OpenSSL 0.9.7a and 0.9.6i released



>From the changelog:

Security fix: Vaudenay timing attack on CBC

+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+     via timing by performing a MAC computation even if incorrrect
+     block cipher padding has been found.  This is a countermeasure
+     against active attacks where the attacker has to distinguish
+     between bad padding and a MAC verification error. (CAN-2003-0078)
+
+     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+     Martin Vuagnoux (EPFL, Ilion)]


---------- Forwarded message ----------
Date: Wed, 19 Feb 2003 14:43:57 +0100 (CET)
From: Richard Levitte - VMS Whacker <levitte at openssl.org>
Reply-To: openssl-users at openssl.org
To: openssl-announce at openssl.org, openssl-users at openssl.org,
     openssl-dev at openssl.org, coderpunks at toad.com, cypherpunks at www.dough.org,
     cryptography at wasabisystems.com, INFO-VAX at MVB.SAIC.COM,
     INFO-WASD at VSM.COM.AU, VMS-SSH at ALPHA.SGGW.WAW.PL, vms-web-daemon at KJSL.COM
Subject: [ANNOUNCE] OpenSSL 0.9.7a and 0.9.6i released

-----BEGIN PGP SIGNED MESSAGE-----


  OpenSSL version 0.9.7a and 0.9.6i released
  ==========================================

  OpenSSL - The Open Source toolkit for SSL/TLS
  http://www.openssl.org/

  The OpenSSL project team is pleased to announce the release of
  version 0.9.7a of our open source toolkit for SSL/TLS.  This new
  OpenSSL version is a security and bugfix release and incorporates
  at least 11 changes and bugfixes to the toolkit (for a complete list
  see http://www.openssl.org/source/exp/CHANGES.

  We also release 0.9.6i, which contains the same security bugfix as
  0.9.7a and a few more small bugfixes compared to 0.9.6h.

  The most significant changes are:

    o Security: Important security related bugfixes. [0.9.7a and 0.9.6i]
    o Enhanced compatibility with MIT Kerberos. [0.9.7a]
    o Can be built without the ENGINE framework. [0.9.7a]
    o IA32 assembler enhancements. [0.9.7a]
    o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64. [0.9.7a]
    o Configuration: the no-err option now works properly. [0.9.7a]
    o SSL/TLS: now handles manual certificate chain building. [0.9.7a]
    o SSL/TLS: certain session ID malfunctions corrected. [0.9.7a]

  We consider OpenSSL 0.9.7a to be the best version of OpenSSL available
  and we strongly recommend that users of older versions upgrade as
  soon as possible.  OpenSSL 0.9.7a is available for download via HTTP
  and FTP from the following master locations (you can find the various
  FTP mirrors under http://www.openssl.org/source/mirror.html):

    o http://www.openssl.org/source/
    o ftp://ftp.openssl.org/source/

  For those who want or have to stay with the 0.9.6 series of OpenSSL,
  we strongly recommend that you upgrade to OpenSSL 0.9.6i as soon as
  possible.  It's available in the same location as 0.9.7a.

  The distribution file name is:

    o openssl-0.9.7a.tar.gz [normal]
      MD5 checksum: a0d3203ecf10989fdc61c784ae82e531
    o openssl-0.9.6i.tar.gz [normal]
      MD5 checksum: 9c4db437c17e0b6412c5e4645b6fcf5c
    o openssl-engine-0.9.6i.tar.gz [engine]
      MD5 checksum: c9adc0596c630b31b999eba32fc0a6b3

  The checksums were calculated using the following command:

    openssl md5 < openssl-0.9.7a.tar.gz
    openssl md5 < openssl-0.9.6i.tar.gz
    openssl md5 < openssl-engine-0.9.6i.tar.gz

  Yours,
  The OpenSSL Project Team...

    Mark J. Cox             Ben Laurie          Andy Polyakov
    Ralf S. Engelschall     Richard Levitte     Geoff Thorpe
    Dr. Stephen Henson      Bodo Möller
    Lutz Jänicke            Ulf Möller

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPlOJmPTy7ZjgbSyxAQHG4Qf+K6vX8kk9msYI3iD6zK3BSXzMFO0pCVNN
8OkUW7wsmAnoSRuT89jGTom0fmIi1eiQcOFUf1krlk7btJ4KRVEok/G2ooa4qOmq
MU+4djKgM/LDlqzAbDfN7cEbWGPJeP4polPTgOBYqexBdwoTvJuX9m4LRgvK2enW
BsJjqdsmsLqWlMmixpKsMHNXXyYqs8SGhdSR7SQlbCVNu6QabWi21NbKCvyJzhEq
5Bn9mUej60GHOdTNpRGwqWxBCvl/kAPnOP4ffj5mbQL+R9VYCeCy3BsjDmLdmDt9
xqxdXBxPqu/S1OnSnsTQeMk70o3qX0F6lgqhNUt6FtHynbxoAGAPcw==
=KOdL
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Announcement Mailing List                 openssl-announce at openssl.org
Automated List Manager                           majordomo at openssl.org



-- 
Med Venlig Hilsen / Best Regards
                              |  Teleservice Esbjerg A/S
Niki Guldbrand                |  Salingsundvej 4
IT-Administrator              |  6715 Esbjerg N
                              |  Denmark
Phone         : +45 79144544  |
Direct Phone  : +45 79144589  |  Web : http://www.teleservice.com
Fax           : +45 79144599  |

E-Mail        : Niki.Guldbrand at teleservice.com

--------------
Beam me up, Scotty, there's no intelligent life down here!
--------------

More information about the Lunar-dev mailing list