[Pkg-openssl-devel] openssl 1.0.0e vulnerability

Julian Gilbey jdg at debian.org
Fri Oct 7 09:50:20 UTC 2011


On Fri, Oct 07, 2011 at 09:17:51AM +0200, Thijs Kinkhorst wrote:
> > functional but forced to fail in a very specific way due to carefully
> > changing the input power voltage.  The only reason that this attack
> > was capable of being successful was because the openssl code took care
> > to protect against the possibility of the CRT approach being
> > compromised but not the fallback method.  It seems fairly
> > straightforward to fix this potential hole, especially as this exploit
> > is now available for all to read.
> 
> If I read that this attack vector requires carefully changing the input
> voltage, I'm tempted to conclude that (a) it would be good if upstream
> addressed this and that fix would trickle down to Debian over time, and
> (b) it seems rare enough not to issue a DSA for it.

Agreed.

   Julian



More information about the Pkg-openssl-devel mailing list