[Pkg-openssl-devel] Bug#895844: openssl: CVE-2018-0737: Cache timing vulnerability in RSA Key Generation Source
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Mon Apr 16 20:07:59 BST 2018
On 2018-04-16 20:51:26 [+0200], Salvatore Bonaccorso wrote:
> Severity: important
…
> CVE-2018-0737[0]:
> | The OpenSSL RSA Key generation algorithm has been shown to be
> | vulnerable to a cache timing side channel attack. An attacker with
> | sufficient access to mount cache timing attacks during the RSA key
> | generation process could recover the private key. Fixed in OpenSSL
> | 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev
> | (Affected 1.0.2b-1.0.2o).
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
do you want me to go ahead and prepare an upload? Upstream said that
they won't prepare a new release because it is classified with severity
low (yet it is filled here as important).
> Regards,
> Salvatore
Sebastian
More information about the Pkg-openssl-devel
mailing list