[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Tue, 20 Nov 2018 03:57:01 -0800 

The branch OpenSSL_1_1_0-stable has been updated
       via  503c18583a1c8910ad42d4426290f0a61daae7a6 (commit)
      from  b1aec9e84e2d36b0c4b45633d5343a39cb1ac25f (commit)


- Log -----------------------------------------------------------------
commit 503c18583a1c8910ad42d4426290f0a61daae7a6
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 20 10:52:53 2018 +0000

    Update CHANGES and NEWS for new release
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    Reviewed-by: Nicola Tuveri <nic....@gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/7666)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES | 20 ++++++++++++++++++++
 NEWS    |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 28b9938..cb2e6b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,26 @@
 
  Changes between 1.1.0i and 1.1.0j [xx XXX xxxx]
 
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the 
signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Timing vulnerability in ECDSA signature generation
+
+     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the 
signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+     (CVE-2018-0735)
+     [Paul Dale]
+
   *) Add coordinate blinding for EC_POINT and implement projective
      coordinate blinding for generic prime curves as a countermeasure to
      chosen point SCA attacks.
diff --git a/NEWS b/NEWS
index ca3ed49..88a0be4 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
 
   Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [under development]
 
-      o
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+      o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
 
   Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018]
 
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to