Description of problem: Timing attack on RSA decryption because RSA blinding isn't used in all applications (mod_ssl etc) Version-Release number of selected component (if applicable): This affects most applications that link to OpenSSL How reproducible: In order to exploit this issue you need to be local to the machine or be on a network that enables you to reliably observe sub 1ms timing differences. Additional info: http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf This is CAN-2003-0147 A patch is being prepared by the OpenSSL team that enabled RSA blinding by default.
Was fixed by http://rhn.redhat.com/errata/RHSA-2003-102.html