漏洞信息详情
OpenSSL CBC错误信息泄露漏洞
- CNNVD编号:CNNVD-200303-024
- 危害等级: 中危
![图片[1]-OpenSSL CBC错误信息泄露漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-12/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2003-0078
- 漏洞类型:
设计错误
- 发布时间:
2003-03-03
- 威胁类型:
远程
- 更新时间:
2005-10-12
- 厂 商:
openbsd - 漏洞来源:
Discovery credited… -
漏洞简介
OpenSSL 0.9.7a之前的版本和0.9.6i之前的0.9.6版本中s3_pkt.c的ssl3_get_record如果使用不正确分组密码进行填充,将不执行MAC计算,可以导致信息泄露(时序差异),该漏洞可能更容易导致凭借区分填充和MAC检验错误差别的加密攻击,并且可能导致原始明文被提取,也称为“Vaudenay timing attack”。
漏洞公告
It is reported that certain versions of Computer Associates eTrust Security Command Center are prone to this vulnerability. Customers are advised to contact the vendor for further information pertaining to obtaining and applying appropriate updates.
Hewlett-Packard has released an advisory (HPSBUX0309-280), which contains fix information to address this issue in J2SE and JSSE. Customers are advised to upgrade as soon as possible. Further information regarding obtaining and applying fixes can be found in the referenced advisory.
NetBSD has released an advisory (2003-001) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
Administrators and users are advised to upgrade to version 0.9.6i or 0.9.7a. OpenPKG has released upgrade RPMs.
Conectiva has released an advisory (CLA-2003:570) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
Debian has released an advisory (DSA 253-1) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
Gentoo Linux have recommended that users who are running ‘dev-libs/openssl’ upgrade to ‘openssl-0.9.6i’ or ‘openssl-0.9.7a’ as follows:
emerge sync
emerge -u openssl
emerge clean
Mandrake has released an advisory (MDKSA-2003:020) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
Trustix has released an advisory (TSLSA-2003-0005) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
EnGarde has released an advisory ([ESA-20030220-005) which addresses this issue. Fix details may be found in the attached advisory.
FreeBSD has released an updated Security Advisory. Users are advised to apply the new patches or to upgrade systems via CVS. Further information is available in the referenced advisory.
OpenBSD has released security patches which address this issue. Further information is available from the OpenBSD eratta pages.
SuSE has released an advisory (SuSE-SA:2003:011) which addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.
Apple has released an advisory which contains a fix for this issue. Further information is available from the Apple Security Update page.
Red Hat Linux has released an advisory (RHSA-2003:062-11) containing fixes. Information about obtaining and applying fixes are available in the referenced advisory.
Sun has released updated versions of the affected products to address this issue.
Sun has also released an alert stating that this issue has been addressed in the latest release of JSSE, SDK, and JRE.
HP has released advisory HPSBUX0303-248 (rev. 1) to address this issue.
HP has released advisory HPSBUX0303-248 (rev. 2) to address this issue.
Oracle has released an advisory and patches to address this issue. User are advised to obtain patches from the Oracle metalink site listed in references.
Fixes available:
OpenBSD OpenBSD 3.2
-
OpenBSD 007_ssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/007_ssl.patch
Sun Cobalt RaQ 4
-
Sun RaQ4-All-Security-2.0.1-16343.pkg
http://ftp.cobalt.sun.com/pub/packages/raq4/eng/RaQ4-All-Security-2.0.
1-16343.pkg
Sun Cobalt RaQ 550
-
Sun RaQ550-All-Security-0.0.1-16343.pkg
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security-
0.0.1-16343.pkg
Sun Cobalt RaQ XTR
-
Sun RaQ550-All-Security-0.0.1-16343.pkg
http://ftp.cobalt.sun.com/pub/packages/raq550/all/RaQ550-All-Security-
0.0.1-16343.pkg -
Sun RaQXTR-All-Security-1.0.1-16343.pkg
http://ftp.cobalt.sun.com/pub/packages/raqxtr/eng/RaQXTR-All-Security-
1.0.1-16343.pkg
Sun Cobalt Qube 3
-
Sun Qube3-All-Security-4.0.1-16343.pkg
http://ftp.cobalt.sun.com/pub/packages/qube3/ml/Qube3-All-Security-4.0
.1-16343.pkg
OpenBSD OpenBSD 3.1
-
OpenBSD 021_ssl.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/021_ssl.patch
OpenSSL Project OpenSSL 0.9.3
-
OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade.
http://www.openssl.org/source/openssl-0.9.6i.tar.gz
OpenSSL Project OpenSSL 0.9.4
-
OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade.
http://www.openssl.org/source/openssl-0.9.6i.tar.gz
OpenSSL Project OpenSSL 0.9.5 a
-
Mandrake openssl-0.9.5a-9.4mdk.i586.rpmMandrake Linux 7.2
http://www.mandrakesecure.net/en/ftp.php -
Mandrake openssl-devel-0.9.5a-9.4mdk.i586.rpmMandrake Linux 7.2
http://www.mandrakesecure.net/en/ftp.php -
OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade.
http://www.openssl.org/source/openssl-0.9.6i.tar.gz
OpenSSL Project OpenSSL 0.9.5
-
OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade.
http://www.openssl.org/source/openssl-0.9.6i.tar.gz
OpenSSL Project OpenSSL 0.9.6 d
-
OpenSSL Project openssl-0.9.6i.tar.gzOpenSSL 0.9.6i upgrade.
http://www.openssl.org/source/openssl-0.9.6i.tar.gz
OpenSSL Project OpenSSL 0.9.6 c
-
Conectiva openssl-0.9.6-4U60_5cl.i386.rpmConectiva Linux Version 6.0
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/openssl-0.9.6-4U60_5cl.i3
86.rpm -
Conectiva openssl-0.9.6-4U60_5cl.src.rpmConectiva Linux Version 6.0
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/openssl-0.9.6-4U60_5cl.s
rc.rpm -
Conectiva openssl-0.9.6c-2U80_4cl.i386.rpmConectiva Linux Version 8.0
ftp://atualizacoes.conectiva.com.br/8/RPMS/openssl-0.9.6c-2U80_4cl.i38
6.rpm -
Conectiva openssl-0.9.6c-2U80_4cl.src.rpmConectiva Linux Version 8.0
ftp://atualizacoes.conectiva.com.br/8/SRPMS/openssl-0.9.6c-2U80_4cl.sr
c.rpm -
Conectiva openssl-devel-0.9.6-4U60_5cl.i386.rpmConectiva Linux Version 6.0
ftp://atualizacoes.conecti
参考网址
来源: www.openssl.org
链接:http://www.openssl.org/news/secadv_20030219.txt
来源: BUGTRAQ
名称: 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104568426824439&w=2
来源: XF
名称: ssl-cbc-information-leak(11369)
链接:http://www.iss.net/security_center/static/11369.php
来源: DEBIAN
名称: DSA-253
链接:http://www.debian.org/security/2003/dsa-253
来源: TRUSTIX
名称: 2003-0005
链接:http://www.trustix.org/errata/2003/0005
来源: BID
名称: 6884
链接:http://www.securityfocus.com/bid/6884
来源: REDHAT
名称: RHSA-2003:205
链接:http://www.redhat.com/support/errata/RHSA-2003-205.html
来源: REDHAT
名称: RHSA-2003:104
链接:http://www.redhat.com/support/errata/RHSA-2003-104.html
来源: REDHAT
名称: RHSA-2003:082
链接:http://www.redhat.com/support/errata/RHSA-2003-082.html
来源: REDHAT
名称: RHSA-2003:063
链接:http://www.redhat.com/support/errata/RHSA-2003-063.html
来源: REDHAT
名称: RHSA-2003:062
链接:http://www.redhat.com/support/errata/RHSA-2003-062.html
来源: OSVDB
名称: 3945
链接:http://www.osvdb.org/3945
来源: MANDRAKE
名称: MDKSA-2003:020
链接:http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020
来源: ENGARDE
名称: ESA-20030220-005
链接:http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html
来源: CIAC
名称: N-051
链接:http://www.ciac.org/ciac/bulletins/n-051.shtml
来源: GENTOO
名称: GLSA-200302-10
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104577183206905&w=2
来源: BUGTRAQ
名称: 20030219 OpenSSL 0.9.7a and 0.9.6i released
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=104567627211904&w=2
来源: CONECTIVA
名称: CLSA-2003:570
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570
来源: SGI
名称: 20030501-01-I
链接:ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
来源: NETBSD
名称: NetBSD-SA2003-001
链接:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
