Opened 6 years ago
Closed 6 years ago
#4335 closed task (fixed)
openssl-1.1.0i
| Reported by: | Bruce Dubbs | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | normal | Milestone: | 8.3 |
| Component: | Book | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version.
Change History (4)
comment:1 by , 6 years ago
| Milestone: | 8.4 → 8.3 |
|---|
follow-up: 3 comment:2 by , 6 years ago
comment:3 by , 6 years ago
Replying to dj@…:
CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:
Note: Low severity
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Reported by Guido Vranken.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:
Note Low severity
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)
I am not convinced that we need to react every low severity upstream issue that comes up during the LFS/BLFS release freeze period. Discuss on lfs-dev.
CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:
CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018: