[openssl-users] OpenSSL 1.0.2: CVE-2018-0735
Misaki Miyashita
misaki.miyashita at oracle.com
Tue Nov 6 22:19:36 UTC 2018
Hi,
According to the vulnerabilities website[1], OpenSSL 1.1.i and earlier
and 1.1.1 are affected by CVE-2018-0735.
Is it safe to assume that OpenSSL 1.0.2 is not affected by the CVE?
Thank you,
-- misaki
[1] https://www.openssl.org/news/vulnerabilities.html
CVE-2018-0735 (OpenSSL advisory) [Low severity] 29 October 2018:
The OpenSSL ECDSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use
variations in the signing algorithm to recover the private key. Reported
by Samuel Weiser.
Fixed in OpenSSL 1.1.1a-dev (git commit) (Affected 1.1.1)
Fixed in OpenSSL 1.1.0j-dev (git commit) (Affected 1.1.0-1.1.0i)
More information about the openssl-users
mailing list