#4335: openssl-1.1.0i
--------------------+-----------------------
Reporter: bdubbs | Owner: lfs-book
Type: task | Status: new
Priority: normal | Milestone: 8.3
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Comment (by dj@…):
CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:
During key agreement in a TLS handshake using a DH(E) based
ciphersuite a malicious server can send a very large prime value to the
client. This will cause the client to spend an unreasonably long period of
time generating a key for this prime resulting in a hang until the client
has finished. This could be exploited in a Denial Of Service attack.
Reported by Guido Vranken.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:
The OpenSSL RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker with
sufficient access to mount cache timing attacks during the RSA key
generation process could recover the private key. Reported by Alejandro
Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel
Alvarez Tapia.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4335#comment:2>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
