OpenSSL Information for VU#997481

Cryptographic libraries and applications do not adequately defend against timing attacks



Vendor Statement

A patch to fix the problem, which affects all versions of OpenSSL up to and including 0.9.6i and 0.9.7a, has already been released ( Versions 0.9.6j and 0.9.7b will be released shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Please reference OpenSSL Security Advisory [17 March 2003]. RSA blinding is enabled by default in in OpenSSL 0.9.7b and 0.9.6j.

If you have feedback, comments, or additional information about this vulnerability, please send us email.