[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Tue Nov 20 11:57:43 UTC 2018
The branch OpenSSL_1_0_2-stable has been updated
via 548cce63dd401b89e26d049152e3f9465f82720f (commit)
from d88ff8962c2fd86aeb7ca7297ca9526d0916787e (commit)
- Log -----------------------------------------------------------------
commit 548cce63dd401b89e26d049152e3f9465f82720f
Author: Matt Caswell <matt at openssl.org>
Date: Tue Nov 20 10:52:53 2018 +0000
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7667)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 10 ++++++++++
NEWS | 3 ++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/CHANGES b/CHANGES
index fde66b5..11d7232 100644
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,16 @@
(CVE-2018-5407)
[Billy Brumley]
+ *) Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ (CVE-2018-0734)
+ [Paul Dale]
+
*) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
Module, accidentally introduced while backporting security fixes from the
development branch and hindering the use of ECC in FIPS mode.
diff --git a/NEWS b/NEWS
index 2c5f5f8..38fe668 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development]
- o
+ o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
+ o Timing vulnerability in DSA signature generation (CVE-2018-0734)
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
More information about the openssl-commits
mailing list