Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
Apple: The patch from the OpenSSL team to fix this vulnerability is available in Mac OS X 10.2.5, and may be obtained via: http://www.info.apple.com/support/downloads.html
The vendor has not provided us with any further information regarding this vulnerability.
See also: APPLE-SA-2003-04-10.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: May 23, 2003
Not Affected
Clavister Firewall: Not Vulnerable Clavister VPN Client: Not Vulnerable The IKE protocol is not vulnerable to the Klima-Pokorny-Rosa attack, as it does not provide the necessary "clues" for the Bad Version Oracle to work with. Even IKE with RSA encryption, which is an unusual IKE mode of operation that Clavister products does not do, should be immune to this attack.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see CLSA-2003:625.
Updated: April 22, 2003
Not Affected
Covalent Technologies SSL implementations are NOT vulnerable to this or other variants of the Klima-Pokorny-Rosa attacks. No action by Covalent Technologies customers using Covalent SSL products is necessary.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 28, 2003
Not Affected
cryptlib returns a purely boolean yes/no response to incorrect data in the RSA-encrypted premaster secret, with no specific error details provided. It is not vulnerable to the bad-version oracle attack.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
We have addressed this issue in DSA 288 http://www.debian.org/security/2003/dsa-288
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: June 02, 2003
Affected
eSoft InstaGate software prior to version 3.1.20030425 is vulnerable. Customers can upgrade to version 3.1.20030425 through SoftPak Director.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 18, 2003
Affected
F5 Networks has released a patch for the following products and versions: BIG-IP versions 4.2 through 4.5 3-DNS versions 4.2 through 4.5 BIG-IP Blade Controller version 4.2.3 PTF-01 Patch locations and more information can be found here: http://tech.f5.com/home/bigip/solutions/security/sol2379.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see FreeBSD-SA-03:06.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: June 02, 2003
Not Affected
Fujitsu's UXP/V o.s. is not affected by the problem in VU#888801 because it does not support the RSA-based SSL/TLS.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
...glibc doesn't do RSA.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 22, 2003
Not Affected
Libgcrypt only recently provides pkcs#1 creation within the library but there is no pkcs#1 parsing yet implemented. So Libgcrypt itself is too dumb to be affected. GnuPG is not affected because it is a store and forward system and not easily usable in an online setting.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 15, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
This issue is addressed in GnuTLS 0.8.5.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see ESA-20030320-010.
Notified: April 18, 2003 Updated: April 29, 2003
Affected
SOURCE: Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT3518, SSRT3499 At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.
The vendor has not provided us with any further information regarding this vulnerability.
Please see HPSBUX0304-0255/SSRT3499.
Notified: April 18, 2003 Updated: May 21, 2003
Not Affected
Hitachi Web Server is NOT Vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: June 17, 2003
Affected
The AIX operating system does not ship with SSL. However, SSL is available for installation on AIX from the Linux Affinity Toolbox. The Linux Affinity Toolbox contains OpenSSL 0.9.6g-3 which is not vulnerable to the issues discussed in CERT Vulnerability Note VU#888801 and any advisories which follow. Users using an earlier version of OpenSSL should download the most recent version as soon as possible. The Linux Affinity Toolbox is available at: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html This software is offered on an "as-is" and is unwarranted.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
Ingrian Networks has addressed the Klima-Pokorny-Rosa attack in release 2.9.0. See http://www.ingrian.com/support or your Ingrian service representative.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The KAME IKE daemon (racoon) does not support the "Authenticated With Public Key Encryption" exchange methods.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MDKSA-2003:035.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
Mirapoint released a fix for the attack described by Klima-Pokorny-Rosa on February 21, 2003. Details of the patch that addresses this (D3_SSL) can be found on the Mirapoint secure support center.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
mod_ssl itself is not directly vulnerable. To address this vulnerability in an Apache 1.3.x/mod_ssl system, however, mod_ssl needs to be linked against a patched/updated (0.9.7b/0.9.6j) version of OpenSSL.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 21, 2003
Affected
No services using SSL/TLS are enabled by default in NetBSD, however, by enabling services built with these libraries, a system could become vulnerable to the compromise. A description and resolution procedure is available here: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc
The vendor has not provided us with any further information regarding this vulnerability.
See also the list of patches included in NetBSD 1.6.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
The netfilter/iptables subsystem of the linux kernel is not affected, since it doesn't include any SSL/TLS support.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see OpenPKG-SA-2003.026.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
This issue is addressed in OpenSSL 0.9.7b and 0.9.6j. OpenSSL has also posted an advisory that includes a patch for earlier versions.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
PuTTY cannot be vulnerable to any attack of this type in the SSH1 transport layer, since it is an SSH client only and the RSA decryption is done in the server. An SSH agent could feasibly be vulnerable if it reported SSH_AGENT_FAILURE in response to PKCS encoding errors, but PuTTY's agent implementation (Pageant) will never do this, so it is believed safe.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 18, 2003
Affected
Various Red Hat products have shipped with OpenSSL packages vulnerable to this issue. Updated OpenSSL packages that contain a backported security patch to protect against this vulnerability are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-101.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2003-102.html Red Hat Stronghold Web Server 4 (Cross platform): http://rhn.redhat.com/errata/RHSA-2003-116.html Red Hat Stronghold Web Server 3: http://rhn.redhat.com/errata/RHSA-2003-117.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: May 21, 2003
Not Affected
RSA BSAFE SSL-C (all versions) SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack. RSA BSAFE SSL-J SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: May 15, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see SGI Security Advisory 20030501-01-I.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: April 18, 2003 Updated: May 23, 2003
Affected
SSH Communications Security Vendor statement for VU#888801 Not vulnerable products: SSH Secure Shell for Servers (all versions) SSH Secure Shell for Windows Servers (all versions) SSH Secure Shell for Workstations (all versions) The ssh1, ssh2 and ssh-agent protocols and applications are not vulnerable to the Klima-Pokorny-Rosa (KPR) attack because no error messages are reported from PKCS1 v1.5 decryption other than invalid PKCS1 padding. This implies there are no effective extensions to the Bleichenbacher attack such as the KPR attack against Secure Shell. The ssh1 and ssh-agent protocols have countermeasures against the Bleichenbacher attack and it is not applicable against ssh2. Vulnerable products: SSH Certificate/TLS Toolkit up to and including version 5.1.1 SSH IPSEC Express Toolkit up to and including version 5.1.1 A fix is available and has been delivered to SSH customers.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: June 02, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see SuSE-SA:2003:024.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 22, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see TSL-2003-0013.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
TTSSH is not vulnerable because there is no way to get TTSSH to perform a large number of RSA operations automatically. We perform one or two RSA operations each time the user connects to the server, and every server connection requires user interaction.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: May 27, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 18, 2003
Affected
A patch has been made available, for more information please see: http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-001-01
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 18, 2003 Updated: April 22, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.