The OpenSSL team made the following commit publically to the 0.9.8 head: http://cvs.openssl.org/chngview?cn=16275 This is a possible weakness in OpenSSL which could allow a local user in certain circumstances to divulge information about private keys being used. For example if a server has a SSL web server on it, a local unprivileged user may be able to get hold of the key. I'm not sure in practice how possible this would be; it would rely on a system that isn't doing much else that could interfere with some spy process designed to figure out this information (and probably won't be possible if you have a server handling a lot of traffic, has more than one key, lots of local processes, and so on). It's similar to previous issues and is rated severity=moderate I'm not sure if the OpenSSL team plan to upgrade older versions of OpenSSL or when this will be announced publicly. Please treat as embargoed for now.
Created attachment 159337 [details] Proposed patch for 0.9.8b
Created attachment 159339 [details] Proposed patch for 0.9.7a
Created attachment 159381 [details] Proposed patch for 0.9.6 and 0.9.6b
Created attachment 159391 [details] Proposed patch for 0.9.5a
removing embargo, CERT published http://www.kb.cert.org/vuls/id/724968 see also http://openssl.org/news/patch-CVE-2007-3108.txt
Because this change has not been tested in a full upstream OpenSSL release there is some risk that it may introduce unexpected side-effects. Given this issue is not serious, our current plan is as follows: - To include the backported fix in an OpenSSL update ready for RHEL 4.6. This will get testing via beta and give time for more extensive internal testing - To release an async update for OpenSSL for other RHEL platforms at the same time as RHEL4.6 is released
This was fixed in Red Hat Enterprise Linux via: Red Hat Enterprise Linux version 2.1: RHSA-2007:0813 Red Hat Enterprise Linux version 3: RHSA-2007:0813 Red Hat Enterprise Linux version 4: RHSA-2007:1003 Red Hat Enterprise Linux version 5: RHSA-2007:0964
Statement: (none)