[20473] in bugtraq
Re: OpenSSL-0.9.6a has security fixes
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Apr 27 01:24:44 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010426170818.55EB37B7D@berkshire.research.att.com>
Date: Thu, 26 Apr 2001 13:08:18 -0400
Reply-To: smb@RESEARCH.ATT.COM
From: "Steven M. Bellovin" <smb@RESEARCH.ATT.COM>
X-To: Ariel Waissbein <core.lists.bugtraq@CORE-SDI.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In message <3AE70975.F9B60B6F@core-sdi.com>, Ariel Waissbein writes:
>There seems to be an typo in the following post. It is RSA and not DSA.
>The source, OpenSSL's webpage, has the same typo. Refer to
>http://www.securityfocus.com/bid/2344
>(or http://www.core-sdi.com/advisories/ssh1_sessionkey_recovery.htm).
>
>Daniel Bleichenbacher's webpage at Bell is
>http://www.bell-labs.com/user/bleichen/bib.html
Hmm -- Bleichenbacher has found a flaw in DSA, too; see
http://www.lucent.com/press/0201/010205.bla.html. Last time I spoke
with him, the full technical paper was not yet available; it's supposed to
be presented next month at EUROCRYPT.
But I have no idea if OpenSSL has actually fixed that problem...
--Steve Bellovin, http://www.research.att.com/~smb
