The branch master has been updated via c1ef2852b252307d001a80409dc1ef23a3c1d874 (commit) from 9694ebf753e571a55935a63b4df8016e7bd3248d (commit)
- Log ----------------------------------------------------------------- commit c1ef2852b252307d001a80409dc1ef23a3c1d874 Author: Matt Caswell <m...@openssl.org> Date: Tue Nov 20 10:52:53 2018 +0000 Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Nicola Tuveri <nic....@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7663) ----------------------------------------------------------------------- Summary of changes: CHANGES | 22 +++++++++++++++++++++- NEWS | 5 +++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index df6e6b1..95bced8 100644 --- a/CHANGES +++ b/CHANGES @@ -55,7 +55,27 @@ list of built in objects, i.e. OIDs with names. [Richard Levitte] - Changes between 1.1.1 and 1.1.1a [xx XXX xxxx] + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] + + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input if its length exceeds 4096 bytes. The limit has been raised to a buffer size diff --git a/NEWS b/NEWS index 56aab21..df16b78 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,11 @@ o Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC bridge. + Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] + + o Timing vulnerability in DSA signature generation (CVE-2018-0734) + o Timing vulnerability in ECDSA signature generation (CVE-2018-0735) + Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3 _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits