[Pkg-openssl-devel] Bug#438142: CVE-2007-3108 wrong Montgomery multiplication might cause information leakage
Nico Golde
nion at debian.org
Wed Aug 15 15:56:51 UTC 2007
Package: openssl
Version: 0.9.8e-5
Severity: important
Tags: security
Hi,
CVE-2007-3108[0]:
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and
earlier does not properly perform Montgomery multiplication, which might allow
local users to conduct a side-channel attack and retrieve RSA private keys.
Openssl seems to be vulnerable in (oldstable), stable, testing and unstable.
I couldn't find any note about a fix for this in the changelogs.
If you fix this issue please include the CVE id in the changelog.
You can find patches for the 0.9.8 versions on:
http://www.securityfocus.com/bid/25163/solution
Kind regards
Nico
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
--
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20070815/ec2e9141/attachment.pgp
More information about the Pkg-openssl-devel
mailing list