Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:DSA-288
HistoryApr 17, 2003 - 12:00 a.m.

openssl - several vulnerabilities

2003-04-1700:00:00
Google
osv.dev
37

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Researchers discovered two flaws in OpenSSL, a Secure Socket Layer
(SSL) library and related cryptographic tools. Applications that are
linked against this library are generally vulnerable to attacks that
could leak the server’s private key or make the encrypted session
decryptable otherwise. The Common Vulnerabilities and Exposures (CVE)
project identified the following vulnerabilities:

CAN-2003-0147

OpenSSL does not use RSA blinding by default, which allows local and
remote attackers to obtain the server’s private key.
CAN-2003-0131

The SSL allows remote attackers to perform an unauthorized RSA
private key operation that causes OpenSSL to leak information
regarding the relationship between ciphertext and the associated
plaintext.

For the stable distribution (woody) these problems have been fixed in
version 0.9.6c-2.woody.3.

For the old stable distribution (potato) these problems have been
fixed in version 0.9.6c-0.potato.6.

For the unstable distribution (sid) these problems have been fixed in
version 0.9.7b-1 of openssl and version 0.9.6j-1 of openssl096.

We recommend that you upgrade your openssl packages immediately and
restart the applications that use OpenSSL.

Unfortunately, RSA blinding is not thread-safe and will cause failures
for programs that use threads and OpenSSL such as stunnel. However,
since the proposed fix would change the binary interface (ABI),
programs that are dynamically linked against OpenSSL won’t run
anymore. This is a dilemma we can’t solve.

You will have to decide whether you want the security update which is
not thread-safe and recompile all applications that apparently fail
after the upgrade, or fetch the additional source packages at the end
of this advisory, recompile it and use a thread-safe OpenSSL library
again, but also recompile all applications that make use of it (such
as apache-ssl, mod_ssl, ssh etc.).

However, since only very few packages use threads and link against the
OpenSSL library most users will be able to use packages from this
update without any problems.

Related

openvas 6
debian 2
nessus 4
redhat 1
f5 4
cert 3
debiancve 2
cve 3
securityvulns 2
ubuntucve 2
suse 1
openssl 2
oraclelinux 3
openvas
openvas
HP-UX Update for ApacheStrong HPSBUX00255
2009-05-05 00:00:00
OpenSSL: Multiple Vulnerabilities (CVE-2003-0131, CVE-2003-0147) - Windows
2021-08-13 00:00:00
HP-UX Update for ApacheStrong HPSBUX00255
2009-05-05 00:00:00
debian
debian
[SECURITY] [DSA 288-1] New OpenSSL packages fix decipher vulnerability
2003-04-17 06:44:58
[SECURITY] [DSA 288-1] New OpenSSL packages fix decipher vulnerability
2003-04-17 00:00:00
nessus
nessus
Mandrake Linux Security Advisory : openssl (MDKSA-2003:035)
2004-07-31 00:00:00
RHEL 2.1 : openssl (RHSA-2003:102)
2004-07-06 00:00:00
Debian DSA-288-1 : openssl - several vulnerabilities
2004-09-29 00:00:00
redhat
redhat
(RHSA-2003:102) openssl security update
2003-03-31 00:00:00
f5
f5
SOL2379 - Klima-Pokorny-Rosa attack on RSA vulnerability CAN-2003-0131
2007-05-16 00:00:00
Klima-Pokorny-Rosa attack on RSA vulnerability CAN-2003-0131
2007-05-17 04:00:00
SOL2355 - Timing attacks on RSA private keys - CAN-2003-0147
2007-05-16 00:00:00
cert
cert
SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extension
2003-04-23 00:00:00
Cryptographic libraries and applications do not adequately defend against timing attacks
2003-03-25 00:00:00
Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code
2003-03-17 00:00:00
debiancve
debiancve
CVE-2003-0131
2003-03-24 05:00:00
CVE-2003-0147
2003-03-31 05:00:00
cve
cve
CVE-2003-0131
2003-03-24 05:00:00
CVE-2003-0147
2003-03-31 05:00:00
CVE-2004-2682
2004-12-31 05:00:00
securityvulns
securityvulns
[OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding
2003-03-20 00:00:00
[ADVISORY] Timing Attack on OpenSSL
2003-03-18 00:00:00
ubuntucve
ubuntucve
CVE-2003-0131
2003-03-24 00:00:00
CVE-2003-0147
2003-03-31 00:00:00
suse
suse
remote private-key retrieval in openssl
2003-04-04 12:36:38
openssl
openssl
Vulnerability in OpenSSL CVE-2003-0131
2003-03-19 00:00:00
Vulnerability in OpenSSL CVE-2003-0147
2003-03-14 00:00:00
oraclelinux
oraclelinux
openssl-fips security update
2015-04-02 00:00:00
openssl security update
2019-03-13 00:00:00
openssl security update
2019-08-16 00:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for OSV:DSA-288
openvas6debian2nessus4redhat1f54cert3debiancve2cve3securityvulns2ubuntucve2suse1openssl2oraclelinux3