The branch master has been updated via 5d178ddbeb5943d800ecf261449b139971d6743a (commit) from e73e4460aa47e8cb6c694625584c26e9298d0bb5 (commit)
- Log ----------------------------------------------------------------- commit 5d178ddbeb5943d800ecf261449b139971d6743a Author: Matt Caswell <m...@openssl.org> Date: Mon Apr 16 16:30:00 2018 +0100 Updates for CVE-2018-0737 ----------------------------------------------------------------------- Summary of changes: news/secadv/20180416.txt | 35 +++++++++++++++++++++++++++++++++++ news/vulnerabilities.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 news/secadv/20180416.txt diff --git a/news/secadv/20180416.txt b/news/secadv/20180416.txt new file mode 100644 index 0000000..700beb6 --- /dev/null +++ b/news/secadv/20180416.txt @@ -0,0 +1,35 @@ + +OpenSSL Security Advisory [16 Apr 2018] +======================================== + +Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) +================================================================ + +Severity: Low + +The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a +cache timing side channel attack. An attacker with sufficient access to mount +cache timing attacks during the RSA key generation process could recover the +private key. + +Due to the low severity of this issue we are not issuing a new release of +OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i +and OpenSSL 1.0.2p when they become available. The fix is also available in +commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git +repository. + +This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera +Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. +The fix was developed by Billy Brumley. + +References +========== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20180416.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index b565e18..684eb33 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -8,6 +8,49 @@ <!-- The updated attribute should be the same as the first public issue, unless an old entry was updated. --> <security updated="20180327"> + <issue public="20180416"> + <impact severity="Low"/> + <cve name="2018-0737"/> + <affects base="1.1.0" version="1.1.0"/> + <affects base="1.1.0" version="1.1.0a"/> + <affects base="1.1.0" version="1.1.0b"/> + <affects base="1.1.0" version="1.1.0c"/> + <affects base="1.1.0" version="1.1.0d"/> + <affects base="1.1.0" version="1.1.0e"/> + <affects base="1.1.0" version="1.1.0f"/> + <affects base="1.1.0" version="1.1.0g"/> + <affects base="1.1.0" version="1.1.0h"/> + <affects base="1.0.2" version="1.0.2b"/> + <affects base="1.0.2" version="1.0.2c"/> + <affects base="1.0.2" version="1.0.2d"/> + <affects base="1.0.2" version="1.0.2e"/> + <affects base="1.0.2" version="1.0.2f"/> + <affects base="1.0.2" version="1.0.2g"/> + <affects base="1.0.2" version="1.0.2h"/> + <affects base="1.0.2" version="1.0.2i"/> + <affects base="1.0.2" version="1.0.2j"/> + <affects base="1.0.2" version="1.0.2k"/> + <affects base="1.0.2" version="1.0.2l"/> + <affects base="1.0.2" version="1.0.2m"/> + <affects base="1.0.2" version="1.0.2n"/> + <affects base="1.0.2" version="1.0.2o"/> + <fixed base="1.1.0" version="1.1.0i-dev" date="20180416"> + <git hash="6939eab03a6e23d2bd2c3f5e34fe1d48e542e787"/> + </fixed> + <fixed base="1.0.2" version="1.0.2p-dev" date="20180416"> + <git hash="349a41da1ad88ad87825414752a8ff5fdd6a6c3f"/> + </fixed> + <problemtype>Constant time issue</problemtype> + <title>Cache timing vulnerability in RSA Key Generation</title> + <description> + The OpenSSL RSA Key generation algorithm has been shown to be vulnerable + to a cache timing side channel attack. An attacker with sufficient access + to mount cache timing attacks during the RSA key generation process could + recover the private key. + </description> + <advisory url="/news/secadv/20180416.txt"/> + <reported source="Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia"/> + </issue> <issue public="20180327"> <impact severity="Moderate"/> <cve name="2018-0739"/> _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits