Technical Details
There is a problem. It has been fixed. If you are using SSL and also use SSLeay then you can simply grab patches and rebuild. For non-SSLeay based systems you will need to contact the vendor directly.
The quick overview is that there is an information leak in most SSL implementations which exposes the server to a complex attack discovered by Daniel Bleichenbacher. This attack can recover the session key.
C2Net have a good FAQ on the topic at http://www.c2.net/products/stronghold/support/PKCS1.php which is very relevant for SSLeay users.
Eric has detailed his views on the attack at ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/README.PKCS1
PATCHES
SSLeay-090-090b.patch.gz | SSLeay-0.9.0 PATCH |
SSLeay-0.9.0b.tar.gz | SSLeay-0.9.0b – new release with patch applied |
SSLeay-081-081b.patch.gz | SSLeay-0.8.1 PATCH |
SSLeay-0.8.1b.tar.gz | SSLeay-0.8.1b – new release with patch applied |
SSLeay-066-066b.patch.gz | SSLeay-0.6.6 PATCH |
SSLeay-0.6.6b.tar.gz | SSLeay-0.6.6b – new release with patch applied |