[openssl-commits] [openssl] master update

Tue, 20 Nov 2018 03:54:22 -0800 

The branch master has been updated
       via  c1ef2852b252307d001a80409dc1ef23a3c1d874 (commit)
      from  9694ebf753e571a55935a63b4df8016e7bd3248d (commit)


- Log -----------------------------------------------------------------
commit c1ef2852b252307d001a80409dc1ef23a3c1d874
Author: Matt Caswell <[email protected]>
Date:   Tue Nov 20 10:52:53 2018 +0000

    Update CHANGES and NEWS for new release
    
    Reviewed-by: Richard Levitte <[email protected]>
    Reviewed-by: Nicola Tuveri <[email protected]>
    (Merged from https://github.com/openssl/openssl/pull/7663)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES | 22 +++++++++++++++++++++-
 NEWS    |  5 +++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index df6e6b1..95bced8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -55,7 +55,27 @@
      list of built in objects, i.e. OIDs with names.
      [Richard Levitte]
 
- Changes between 1.1.1 and 1.1.1a [xx XXX xxxx]
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the 
signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Timing vulnerability in ECDSA signature generation
+
+     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the 
signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+     (CVE-2018-0735)
+     [Paul Dale]
 
   *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
      if its length exceeds 4096 bytes. The limit has been raised to a buffer 
size
diff --git a/NEWS b/NEWS
index 56aab21..df16b78 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,11 @@
       o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC
         bridge.
 
+  Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
+
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+      o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+
   Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
 
       o Support for TLSv1.3 added (see 
https://wiki.openssl.org/index.php/TLS1.3
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to