[Buildroot] [PATCH] libopenssl: security bump to version 1.0.2q

Peter Korsgaard peter at korsgaard.com
Mon Dec 3 22:03:44 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 >   *) Microarchitecture timing vulnerability in ECC scalar multiplication

 >      OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
 >      shown to be vulnerable to a microarchitecture timing side channel attack.
 >      An attacker with sufficient access to mount local timing attacks during
 >      ECDSA signature generation could recover the private key.

 >      This issue was reported to OpenSSL on 26th October 2018 by Alejandro
 >      Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
 >      Nicola Tuveri.
 >      (CVE-2018-5407)
 >      [Billy Brumley]

 >   *) Timing vulnerability in DSA signature generation

 >      The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
 >      timing side channel attack. An attacker could use variations in the signing
 >      algorithm to recover the private key.

 >      This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
 >      (CVE-2018-0734)
 >      [Paul Dale]

 > For more information, see the changelog:
 > https://www.openssl.org/news/cl102.txt

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.08.x, thanks.

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list