[openssl-commits] [web] master update
Paul I. Dale
pauli at openssl.org
Sun Oct 28 23:06:15 UTC 2018
The branch master has been updated
via 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit)
via 911cdb11d835a00d901d3e9c1a728ed2613f84a6 (commit)
from fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 (commit)
- Log -----------------------------------------------------------------
commit 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4
Merge: 911cdb1 fbf2414
Author: Pauli <paul.dale at oracle.com>
Date: Mon Oct 29 09:06:01 2018 +1000
Merge branch 'master' of git.openssl.org:openssl-web
commit 911cdb11d835a00d901d3e9c1a728ed2613f84a6
Author: Pauli <paul.dale at oracle.com>
Date: Mon Oct 29 09:03:42 2018 +1000
Update for ECDSA vulnerability CVS-2018-0735
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 1 +
news/secadv/20181029.txt | 31 +++++++++++++++++++++++++++++++
news/vulnerabilities.xml | 24 ++++++++++++++++++++++++
3 files changed, 56 insertions(+)
create mode 100644 news/secadv/20181029.txt
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 1a0f0fb..311c39b 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
+29-Oct-2018: <a href="/news/secadv/20181029.txt">Security Advisory</a>: one low severity fix
11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade!
21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it
14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes
diff --git a/news/secadv/20181029.txt b/news/secadv/20181029.txt
new file mode 100644
index 0000000..2194ef0
--- /dev/null
+++ b/news/secadv/20181029.txt
@@ -0,0 +1,31 @@
+OpenSSL Security Advisory [29 October 2018]
+===========================================
+
+Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+==================================================================
+
+Severity: Low
+
+The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+timing side channel attack. An attacker could use variations in the signing
+algorithm to recover the private key.
+
+Due to the low severity of this issue we are not issuing a new release
+of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in
+OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix
+is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28
+(for 1.1.0) in the OpenSSL git repository.
+
+This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20181029.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 6ef9c56..a2a2de0 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -54,6 +54,30 @@
<advisory url="/news/secadv/20180612.txt"/>
<reported source="Guido Vranken"/>
</issue>
+ <issue public="20181029">
+ <impact severity="Low"/>
+ <cve name="2018-0735"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <problemtype>Constant time issue</problemtype>
+ <title>Timing attack against ECDSA signature generation</title>
+ <description>
+ The OpenSSL ECDSA signature algorithm has been shown to be
+ vulnerable to a timing side channel attack. An attacker could use
+ variations in the signing algorithm to recover the private key.
+ </description>
+ <advisory url="/news/secadv/20181029.txt"/>
+ <reported source="Samuel Weiser"/>
+ </issue>
<issue public="20180416">
<impact severity="Low"/>
<cve name="2018-0737"/>
More information about the openssl-commits
mailing list