OpenSSL 1.1.0i and 1.0.2p

wattie

Verified User
Joined
May 31, 2008
Messages
1,234
Location
Bulgaria
The changes contain few low severity security fixes:

CVE-2018-0732 (OpenSSL advisory) [Low severity] 12 June 2018:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Reported by Guido Vranken.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

and

CVE-2018-0737 (OpenSSL advisory) [Low severity] 16 April 2018:
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
Fixed in OpenSSL 1.1.0i (git commit) (Affected 1.1.0-1.1.0h)
Fixed in OpenSSL 1.0.2p (git commit) (Affected 1.0.2-1.0.2o)

https://www.openssl.org/news/vulnerabilities.html#2018-0732
 
Last edited:
Back
Top