-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2008-008 ================================= Topic: OpenSSL Montgomery multiplication Version: NetBSD-current: affected NetBSD-4.0: affected NetBSD-3.1.*: affected NetBSD-3.1: affected NetBSD-3.0.*: affected NetBSD-3.0: affected pkgsrc: openssl packages prior to 0.9.8f Severity: Local information disclosure Fixed: NetBSD-current: April 10, 2008 NetBSD-4-0 branch: April 13, 2008 (4.0.1 will include the fix) NetBSD-4 branch: April 13, 2008 (4.1 will include the fix) NetBSD-3-1 branch: May 13, 2008 (3.1.2 will include the fix) NetBSD-3-0 branch: May 13, 2008 (3.0.4 will include the fix) NetBSD-3 branch: May 13, 2008 (3.2 will include the fix) pkgsrc: openssl-0.9.8f corrects the issue Abstract ======== A local attacker may be able to retrieve another user's RSA private keys. This vulnerability has been assigned CVE-2007-3108. Technical Details ================= Due to OpenSSL not properly performing Montgomery multiplication it may allow a local attacker to launch a side-channel attack in order to retrieve user's private RSA keys. Solutions and Workarounds ========================= The following instructions describe how to upgrade your OpenSSL binaries by updating your source tree and rebuilding and installing a new version of OpenSSL. * NetBSD-current: Systems running NetBSD-current dated from before 2008-04-10 should be upgraded to NetBSD-current dated 2008-04-11 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/openssl/crypto/bn/bn_mont.c To update from CVS, re-build, and re-install OpenSSL: # cd src # cvs update crypto/dist/openssl/crypto/bn/bn_mont.c # cd lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../../lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-04-13 should be upgraded from NetBSD 4.* sources dated 2008-04-14 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: crypto/dist/openssl/crypto/bn/bn_mont.c To update from CVS, re-build, and re-install OpenSSL: # cd src # cvs update -r \ crypto/dist/openssl/crypto/bn/bn_mont.c # cd lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../../lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 3.*: Systems running NetBSD 3.* sources dated from before 2008-05-13 should be upgraded from NetBSD 3.* sources dated 2008-05-14 or later. The following files/directories need to be updated from the netbsd-3, netbsd-3-0 or netbsd-3-1 branches: crypto/dist/openssl/crypto/bn/bn_mont.c To update from CVS, re-build, and re-install OpenSSL: # cd src # cvs update -r \ crypto/dist/openssl/crypto/bn/bn_mont.c # cd lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../../lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install Revision History ================ 2008-05-07 Initial release 2008-05-13 Update to include 3.x releases as impacted 2008-05-15 Fix installation instructions for NetBSD 3.* More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-008.txt,v 1.6 2008/05/15 05:39:47 adrianp Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iQCVAwUBSCvMrT5Ru2/4N2IFAQILsQP9HhDtwMlk6tzMtTTsMb3Cdo2pv0jLldGS +Jn4gxmh8bwfajMwXXhMJE4l5k4s4HxKdp5U5r/LvPjyDXFSd+RyCSALa5RBl5Nm 0vICeL0ZeXudY/7bfKPfm4shJNd7UDOcbQMBzYbp1GylKQS5CK8obN5X2HwUIZXx Pd9QJqBpWl4= =VPsS -----END PGP SIGNATURE-----