Timing vulnerability in DSA signature generation (CVE-2018-0734)
================================================================
Severity: Low
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
Due to the low severity of this issue we are not issuing a new release
of OpenSSL 1.1.1, 1.1.0 or 1.0.2 at this time. The fix will be included
in OpenSSL 1.1.1a, OpenSSL 1.1.0j and OpenSSL 1.0.2q when they become
available. The fix is also available in commit 8abfe72e8c (for 1.1.1),
ef11e19d13 (for 1.1.0) and commit 43e6a58d49 (for 1.0.2) in the OpenSSL
git repository.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20181030.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html <https://www.openssl.org/policies/secpolicy.html>
Pauli
--
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2 owGlVGtsFFUU3j4kMHRThCYEELyQCm3ZZ7cvCkUXlodSaNltEaSF3s7c3Rk6O3eZ
me2wWOWRtipSqaFQEBAt8ggEtVSKUiQQEaxEQXkUKAjlIZZHKVVIsJh4Z7pLiz9M
jDubzJ17znzn+8755lbqI3S9w9qbpw8/fMppDTt+q1A3t8n/eQ7n5QQPKPbzAhJh
IcdzcgBwAnC47EDiPAKU/SICHqRGZQ4LIG7irEnGRIs1zWhJtSXF66mM//nTU0BP
uVAxEknpdJCJFW0nh0Ugy4cElyvzH2Qg78Ekl/UCFkqgECEBSCxWBCBj8vRECo/U
Dain5C6JEscgQLNQEBAPoCxDusgE7EJwiURAYz/PAL9EIKDIaWoltRUyYaJWJyB6
qrs4ARcRjQlvLcMncsVQRqAIBUyaAIdfI6DGeKwAKagQYDfZ4wiyJJEMheghmgQs
axsqUQgEpBBsHkEJ6SmSH+qD1UQug3azACyShcWUSAR0ARKdyATUvrm5RUDheF5t
ByfQvJ9BjJ4iUp4Cgoanni0LABSYHlsEeyFQWKR1IECwaOwlfGAx5Hi1vd21SHHI
S6TZoZDaNpLt5WSQBgvdKDURpdEgzq1xJle8QU8ht9WKrGMYq607YInXOARfTbKh
FJicxiSNCWUQSvGhkQSJ6ikPSRWRD0ucjMVg83N6dJiYRA2LMmLUgYQEEi9bU2QW
ZNEyLiRDVD0NCgPABb1+4pBXESchsQvNidxIRAKNpJ5210K5zkygctMm4EK0X5ux
nSnmJEImXU+xsuyT0s1mRVFMmJSWJN6ERY+ZzFgyS4iGTLFZLW212CwmeZGsoc7A
MkrXVGKB5wTiSCRK6tenmYdYJogPvFAdDPD7GKjKU4gzSZDhVPNCHjBIJhMhrLts
qhpEw59MGB8qCEZBD4c9cSnNQ0ni3Bwd/A58mhtJHP2LJh/mOZpDmi5tHTCxspcH
4/7jC+OBxpL8s6Gf5/SU0UjWWSKkeWJAhwjUbeCAxGglYKIY8MnYI0IfSzSWgBlI
VrBY1D2MkWCSQKtJagMJJItJQ0enWEEqsFls5JZoTQ2hA7tfkkXIc+TcAO+EPxep
C+ut6/VMuHpU6qg+/ULn5+N70Y+j+lWuPFFfv3VnR+ydNvn7BuNiZppp5qOpytsv
dxTZyyOX13x897uduWt2Xq5/ccINV0ZceEHDVbFyx7bzx6rfYHJbBsyPBZ0j4w7U
Xg6PnLNw3wZzY1TM7YJ555K/eeDsXdJ/q27jlb5jseXi/Y6Mt/JMB2uMRdKttXtG
n//MsKrk9B8FWa1U1keXTj2y39V9vX/28gGrGsfsurNp4xex7KOqptboHMdiHlyq
s+3ZPHzfjCUroLO67MvM9rKfA5uyJ9qGrIsurWialbnDvf/H/Pdf6uyztPWIcXPY
uxsmiGej7g9aPWp0xoq9+bveq+i8Oflk9Q9VK2L61rKzY/JeH5LvPlbnzvsp1jgq
e430uHbKhG/bq9ZPP3ArwdZ25mFt0tznqZw+eCAcVtpyIdxnoE7v2sJUJiRfwW8O
Przl3gtO8UjOgbas+jNjP4mxrj2uNNyYEzHCXXezPL/loX3l7311Z8Vq5y/nfru6
yV1f4ZvuHTSt2Tgs8VO2ctzA/rVFEWUXI6p/NQyu2F4W3XRt37ENSzvm8MuTbzfY
Fh3EzzZc+qv1+itLpuz5oH3mqqXNkVtLdLsf1kZtnLqs+c91pvmZ/hrdA8OCxpM1
WRWrz+5tdpe3DC2lxl24OHTEMsfhlFkJjeOvxc9bb9zeWNpYZ9/RfvS1rxznK2q2
3anPjumEebkR5vEfnqi6ktCr39Hd1+MPTdO1/Q0=
=VVHo
-----END PGP MESSAGE----- |
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
