Clarification regarding CVE-2016-2178 for openssl 1.0.2 i and 1.0.2 j

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

1)
In openssl1.0.2i, the release note says, there is a fix for CVE-2016-2178:

"
  *) Constant time flag not preserved in DSA signing

     Operations in the DSA signing algorithm should run in constant time in
     order to avoid side channel attacks. A flaw in the OpenSSL DSA
     implementation means that a non-constant time codepath is followed for
     certain operations. This has been demonstrated through a cache-timing
     attack to be sufficient for an attacker to recover the private DSA key.

     This issue was reported by C?sar Pereida (Aalto University), Billy
Brumley
     (Tampere University of Technology), and Yuval Yarom (The University of
     Adelaide and NICTA).
     (CVE-2016-2178)
     [C?sar Pereida]
"

2)
And the related code diff in git is:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=399944622df7bd81af62e67ea967c470534090e2

3)
But when i download the source code (1.0.2i and 1.0.2j), i cannot see those
fixes.

Could you please clarify a bit about this. Is this intended or i just need
to apply the patches myself ?

Regards,
Sanjaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161025/bd674e76/attachment.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux