- secuirty patch (patch4)

Bug (bugtraq):
Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.

The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

The performance impact of blinding appears to be small (a few
percent).

This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.

We strongly advise upgrading OpenSSL in all cases, as a precaution.

Changed files:
    openssl.spec -> 1.94

diff --git a/openssl.spec b/openssl.spec
index e52a7daf7fe19f73bac22e00b241faca18672180..f9bf5d49eb4b6b5cf8fafb981b7adb7d60119c4e 100644 (file)
--- a/openssl.spec
+++ b/openssl.spec
@@ -19,6 +19,7 @@ Patch0:               %{name}-alpha-ccc.patch
 Patch1:                %{name}-optflags.patch
 Patch2:                %{name}-globalCA.diff
 Patch3:                %{name}-parallel_make.patch
+Patch4:                %{name}-sec3.patch
 URL:           http://www.openssl.org/
 BuildRequires: perl-devel >= 5.6.1
 BuildRequires: textutils
@@ -178,6 +179,7 @@ RC4, RSA 
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p0
 
 %build
 for f in ` grep -r "%{_prefix}/local/bin/perl" . | cut -d":" -f1`; do