=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2003/VULN104
_____________________________________________________________________

DATE                      : 21/03/2003

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running OpenSSL
                            
======================================================================

Researchers have discovered a timing attack on RSA keys to which
OpenSSL is vulnerable.  OpenBSD patches are now available.
The following paper describes the attack in detail:
    http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

The patches have already been committed to OpenBSD-current and the
3.1 and 3.2 -stable branches.  For those who wish to manually
patch their systems, the following patches are available.

Patch for OpenBSD 3.1:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/024_blinding.patch

Patch for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/011_blinding.patch

The OpenSSL advisory (from which the patches are derived) is:
    http://www.openssl.org/news/secadv_20030317.txt


======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================