Hi,
I read the recent research paper:
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations
by
Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and
Yuval Yarom
Nov 30, 2018
Research Paper: https://eprint.iacr.org/2018/1173.pdf
As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them
independently of the authors' disclosure.
=
APPENDIX A
VULNERABILITIES DESCRIPTION
A. OpenSSL TLS Implementation
[...]
However, OpenSSL’s code does contain two side channel vulnerabilities.
One vulnerability has been described in Section IV-A and the other is
presented here. We note that OpenSSL replaced the vulnerable code in
both locations with constant-time implementations independently of our
disclosure.
=
The paper does not list the CVE for the openssl vulnerability.
Is there a CVE for this? What are the affected versions and in which
version they were fixed?
with regards,
Saravanan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users