Hi Sebastian, Impressive repsonse time :)
On Mon, Apr 16, 2018 at 09:07:59PM +0200, Sebastian Andrzej Siewior wrote: > On 2018-04-16 20:51:26 [+0200], Salvatore Bonaccorso wrote: > > Severity: important > … > > CVE-2018-0737[0]: > > | The OpenSSL RSA Key generation algorithm has been shown to be > > | vulnerable to a cache timing side channel attack. An attacker with > > | sufficient access to mount cache timing attacks during the RSA key > > | generation process could recover the private key. Fixed in OpenSSL > > | 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev > > | (Affected 1.0.2b-1.0.2o). > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > do you want me to go ahead and prepare an upload? Upstream said that > they won't prepare a new release because it is classified with severity > low (yet it is filled here as important). I do not think they warrant a DSA, I have actually marked those already as no-dsa/postponed, and a fix can be included in the next update needed. Regards, Salvatore