The branch master has been updated
via 54c39f92bbaae5b32b84c8b632c4daf2d7ad6132 (commit)
via c84f2126b736207c23b1984cbc07d496c22ca85d (commit)
from 43a3ec6622d22e8fb33324d50bd4aa4944e9e5fb (commit)
- Log -----------------------------------------------------------------
commit 54c39f92bbaae5b32b84c8b632c4daf2d7ad6132
Merge: c84f212 43a3ec6
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 30 07:00:24 2018 +1000
Merge branch 'master' of git.openssl.org:openssl-web
commit c84f2126b736207c23b1984cbc07d496c22ca85d
Author: Pauli <paul.d...@oracle.com>
Date: Tue Oct 30 07:00:08 2018 +1000
Add CVE-2018-0734
-----------------------------------------------------------------------
Summary of changes:
news/newsflash.txt | 3 ++-
news/secadv/20181030.pdf | 32 +++++++++++++++++++++++++++++
news/vulnerabilities.xml | 52 +++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 85 insertions(+), 2 deletions(-)
create mode 100644 news/secadv/20181030.pdf
diff --git a/news/newsflash.txt b/news/newsflash.txt
index 311c39b..2c05c1a 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,7 +4,8 @@
# Format is two fields, colon-separated; the first line is the column
# headings. URL paths must all be absolute.
Date: Item
-29-Oct-2018: <a href="/news/secadv/20181029.txt">Security Advisory</a>: one
low severity fix
+29-Oct-2018: <a href="/news/secadv/20181030.txt">Security Advisory</a>: one
low severity fix in DSA
+29-Oct-2018: <a href="/news/secadv/20181029.txt">Security Advisory</a>: one
low severity fix in ECDSA
11-Sep-2018: Final version of OpenSSL 1.1.1 (LTS) is now available: please
download and upgrade!
21-Aug-2018: Beta 7 of OpenSSL 1.1.1 (pre release 9) is now available: please
download and test it
14-Aug-2018: OpenSSL 1.1.0i is now available, including bug and security fixes
diff --git a/news/secadv/20181030.pdf b/news/secadv/20181030.pdf
new file mode 100644
index 0000000..b33ac41
--- /dev/null
+++ b/news/secadv/20181030.pdf
@@ -0,0 +1,32 @@
+OpenSSL Security Advisory [30 October 2018]
+===========================================
+
+Timing vulnerability in DSA signature generation (CVE-2018-0734)
+================================================================
+
+Severity: Low
+
+The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+timing side channel attack. An attacker could use variations in the signing
+algorithm to recover the private key.
+
+Due to the low severity of this issue we are not issuing a new release
+of OpenSSL 1.1.1, 1.1.0 or 1.0.2 at this time. The fix will be included
+in OpenSSL 1.1.1a, OpenSSL 1.1.0j and OpenSSL 1.0.2q when they become
+available. The fix is also available in commit 8abfe72e8c (for 1.1.1),
+ef11e19d13 (for 1.1.0) and commit 43e6a58d49 (for 1.0.2) in the OpenSSL
+git repository.
+
+This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+
+References
+==========
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20181030.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index 52cc185..97ec427 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -7,7 +7,57 @@
<!-- The updated attribute should be the same as the first public issue,
unless an old entry was updated. -->
-<security updated="20181029">
+<security updated="20181030">
+ <issue public="20181030">
+ <impact severity="Low"/>
+ <cve name="2018-0734"/>
+ <affects base="1.1.1" version="1.1.1"/>
+ <affects base="1.1.0" version="1.1.0"/>
+ <affects base="1.1.0" version="1.1.0a"/>
+ <affects base="1.1.0" version="1.1.0b"/>
+ <affects base="1.1.0" version="1.1.0c"/>
+ <affects base="1.1.0" version="1.1.0d"/>
+ <affects base="1.1.0" version="1.1.0e"/>
+ <affects base="1.1.0" version="1.1.0f"/>
+ <affects base="1.1.0" version="1.1.0g"/>
+ <affects base="1.1.0" version="1.1.0h"/>
+ <affects base="1.1.0" version="1.1.0i"/>
+ <affects base="1.0.2" version="1.0.2"/>
+ <affects base="1.0.2" version="1.0.2a"/>
+ <affects base="1.0.2" version="1.0.2b"/>
+ <affects base="1.0.2" version="1.0.2c"/>
+ <affects base="1.0.2" version="1.0.2d"/>
+ <affects base="1.0.2" version="1.0.2e"/>
+ <affects base="1.0.2" version="1.0.2f"/>
+ <affects base="1.0.2" version="1.0.2g"/>
+ <affects base="1.0.2" version="1.0.2h"/>
+ <affects base="1.0.2" version="1.0.2i"/>
+ <affects base="1.0.2" version="1.0.2j"/>
+ <affects base="1.0.2" version="1.0.2k"/>
+ <affects base="1.0.2" version="1.0.2l"/>
+ <affects base="1.0.2" version="1.0.2m"/>
+ <affects base="1.0.2" version="1.0.2n"/>
+ <affects base="1.0.2" version="1.0.2o"/>
+ <affects base="1.0.2" version="1.0.2p"/>
+ <fixed base="1.1.1" version="1.1.1a-dev" date="20181029">
+ <git hash="8abfe72e8c1de1b95f50aa0d9134803b4d00070f"/>
+ </fixed>
+ <fixed base="1.1.0" version="1.1.0j-dev" date="20181029">
+ <git hash="ef11e19d1365eea2b1851e6f540a0bf365d303e7"/>
+ </fixed>
+ <fixed base="1.0.2" version="1.0.2q-dev" date="20181030">
+ <git hash="43e6a58d4991a451daf4891ff05a48735df871ac"/>
+ </fixed>
+ <problemtype>Constant time issue</problemtype>
+ <title>Timing attack against DSA</title>
+ <description>
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable
+ to a timing side channel attack. An attacker could use variations
+ in the signing algorithm to recover the private key.
+ </description>
+ <advisory url="/news/secadv/20181030.txt"/>
+ <reported source="Samuel Weiser"/>
+ </issue>
<issue public="20181029">
<impact severity="Low"/>
<cve name="2018-0735"/>
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
