#4335: openssl-1.1.0i
--------------------+-----------------------
Reporter: bdubbs | Owner: lfs-book
Type: task | Status: new
Priority: normal | Milestone: 8.3
Component: Book | Version: SVN
Severity: normal | Resolution:
Keywords: |
--------------------+-----------------------
Comment (by bdubbs):
Replying to [comment:2 dj@…]:
> CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:
Note: '''Low severity'''
> During key agreement in a TLS handshake using a DH(E) based
ciphersuite a malicious server can send a very large prime value to the
client. This will cause the client to spend an unreasonably long period of
time generating a key for this prime resulting in a hang until the client
has finished. This could be exploited in a Denial Of Service attack.
Reported by Guido Vranken.
>
> Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
> Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
>
> CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:
Note '''Low severity'''
> The OpenSSL RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker with
sufficient access to mount cache timing attacks during the RSA key
generation process could recover the private key. Reported by Alejandro
Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel
Alvarez Tapia.
>
> Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
> Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
I am not convinced that we need to react every low severity upstream issue
that comes up during the LFS/BLFS release freeze period. Discuss on lfs-
dev.
--
Ticket URL: <http://wiki.linuxfromscratch.org/lfs/ticket/4335#comment:3>
LFS Trac <http://wiki.linuxfromscratch.org/lfs/>
Linux From Scratch: Your Distro, Your Rules.
--
http://lists.linuxfromscratch.org/listinfo/lfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
