Opened 3 years ago

Closed 3 years ago

#4335 closed task (fixed)

openssl-1.1.0i

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: normal Milestone: 8.3
Component: Book Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (4)

comment:1 by DJ Lucas, 3 years ago

Milestone: 8.48.3

comment:2 by DJ Lucas, 3 years ago

CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Reported by Guido Vranken.

Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.

Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

in reply to:  2 comment:3 by Bruce Dubbs, 3 years ago

Replying to dj@…:

CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:

Note: Low severity

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Reported by Guido Vranken.

Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:

Note Low severity

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.

Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h) Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

I am not convinced that we need to react every low severity upstream issue that comes up during the LFS/BLFS release freeze period. Discuss on lfs-dev.

comment:4 by Bruce Dubbs, 3 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 11452.

Note: See TracTickets for help on using tickets.