[openssl-commits] [web] master update

Paul I. Dale pauli at openssl.org
Sun Oct 28 23:06:15 UTC 2018


The branch master has been updated
       via  6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4 (commit)
       via  911cdb11d835a00d901d3e9c1a728ed2613f84a6 (commit)
      from  fbf24147cb7b9e04c40ef0d14f76dc85d59a8413 (commit)


- Log -----------------------------------------------------------------
commit 6e45814cbe2c0d6d40b7b24a7d5f238faafb4bd4
Merge: 911cdb1 fbf2414
Author: Pauli <paul.dale at oracle.com>
Date:   Mon Oct 29 09:06:01 2018 +1000

    Merge branch 'master' of git.openssl.org:openssl-web

commit 911cdb11d835a00d901d3e9c1a728ed2613f84a6
Author: Pauli <paul.dale at oracle.com>
Date:   Mon Oct 29 09:03:42 2018 +1000

    Update for ECDSA vulnerability CVS-2018-0735

-----------------------------------------------------------------------

Summary of changes:
 news/newsflash.txt       |  1 +
 news/secadv/20181029.txt | 31 +++++++++++++++++++++++++++++++
 news/vulnerabilities.xml | 24 ++++++++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 news/secadv/20181029.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 1a0f0fb..311c39b 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+29-Oct-2018: <a href="/news/secadv/20181029.txt">Security Advisory</a>: one low severity fix
 11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please download and upgrade!
 21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please download and test it
 14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes
diff --git a/news/secadv/20181029.txt b/news/secadv/20181029.txt
new file mode 100644
index 0000000..2194ef0
--- /dev/null
+++ b/news/secadv/20181029.txt
@@ -0,0 +1,31 @@
+OpenSSL Security Advisory [29 October 2018]
+===========================================
+
+Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+==================================================================
+
+Severity: Low
+
+The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+timing side channel attack. An attacker could use variations in the signing
+algorithm to recover the private key.
+
+Due to the low severity of this issue we are not issuing a new release
+of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in
+OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix
+is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28
+(for 1.1.0) in the OpenSSL git repository.
+
+This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20181029.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 6ef9c56..a2a2de0 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -54,6 +54,30 @@
     <advisory url="/news/secadv/20180612.txt"/>
     <reported source="Guido Vranken"/>
   </issue>
+  <issue public="20181029">
+    <impact severity="Low"/>
+    <cve name="2018-0735"/>
+    <affects base="1.1.1" version="1.1.1"/>
+    <affects base="1.1.0" version="1.1.0"/>
+    <affects base="1.1.0" version="1.1.0a"/>
+    <affects base="1.1.0" version="1.1.0b"/>
+    <affects base="1.1.0" version="1.1.0c"/>
+    <affects base="1.1.0" version="1.1.0d"/>
+    <affects base="1.1.0" version="1.1.0e"/>
+    <affects base="1.1.0" version="1.1.0f"/>
+    <affects base="1.1.0" version="1.1.0g"/>
+    <affects base="1.1.0" version="1.1.0h"/>
+    <affects base="1.1.0" version="1.1.0i"/>
+    <problemtype>Constant time issue</problemtype>
+    <title>Timing attack against ECDSA signature generation</title>
+    <description>
+      The OpenSSL ECDSA signature algorithm has been shown to be
+      vulnerable to a timing side channel attack. An attacker could use
+      variations in the signing algorithm to recover the private key.
+    </description>
+    <advisory url="/news/secadv/20181029.txt"/>
+    <reported source="Samuel Weiser"/>
+  </issue>
   <issue public="20180416">
     <impact severity="Low"/>
     <cve name="2018-0737"/>


More information about the openssl-commits mailing list