Project

General

Profile

Bug #8813

Bug #8812: openssl: Multiple vulnerabilities (CVE-2018-0737, CVE-2018-0739)

[3.8] openssl: Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Added by Alicha CH 9 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Start date:
04/19/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
repository.

References:

https://www.openssl.org/news/secadv/20180416.txt
https://nvd.nist.gov/vuln/detail/CVE-2018-0737


Related issues

Copied from Alpine Linux - Bug #8812: openssl: Multiple vulnerabilities (CVE-2018-0737, CVE-2018-0739)Closed2018-04-19

Associated revisions

Revision f528d051 (diff)
Added by Timo Teräs 6 months ago

main/openssl: cherry-pick fix for CVE-2018-0737

fixes #8813

Revision 0c38f925 (diff)
Added by Timo Teräs 2 months ago

main/openssl: cherry-pick fix for CVE-2018-0737

fixes #8813

History

#1 Updated by Alicha CH 9 months ago

  • Copied from Bug #8812: openssl: Multiple vulnerabilities (CVE-2018-0737, CVE-2018-0739) added

#2 Updated by Natanael Copa 7 months ago

  • Target version changed from 3.8.0 to 3.8.1

#3 Updated by Timo Teräs 6 months ago

  • Status changed from New to Resolved

#4 Updated by Timo Teräs 6 months ago

  • Status changed from Resolved to Assigned

It's not included in latest stable release yet. Reopening.

#5 Updated by Timo Teräs 6 months ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100

#6 Updated by Alicha CH 6 months ago

  • Project changed from Alpine Security to Alpine Linux
  • Category set to Security
  • Status changed from Resolved to Closed
  • Security IDs deleted (CVE-2018-0737)

Also available in: Atom PDF