[Pkg-openssl-devel] Bug#895844: openssl: CVE-2018-0737: Cache timing vulnerability in RSA Key Generation Source
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 16 20:24:21 BST 2018
Hi Sebastian,
Impressive repsonse time :)
On Mon, Apr 16, 2018 at 09:07:59PM +0200, Sebastian Andrzej Siewior wrote:
> On 2018-04-16 20:51:26 [+0200], Salvatore Bonaccorso wrote:
> > Severity: important
> …
> > CVE-2018-0737[0]:
> > | The OpenSSL RSA Key generation algorithm has been shown to be
> > | vulnerable to a cache timing side channel attack. An attacker with
> > | sufficient access to mount cache timing attacks during the RSA key
> > | generation process could recover the private key. Fixed in OpenSSL
> > | 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev
> > | (Affected 1.0.2b-1.0.2o).
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> do you want me to go ahead and prepare an upload? Upstream said that
> they won't prepare a new release because it is classified with severity
> low (yet it is filled here as important).
I do not think they warrant a DSA, I have actually marked those
already as no-dsa/postponed, and a fix can be included in the next
update needed.
Regards,
Salvatore
More information about the Pkg-openssl-devel
mailing list