OpenSSL 1.0.2: CVE-2018-0735

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.0.2: CVE-2018-0735

Misaki Miyashita
Hi,

According to the vulnerabilities website[1], OpenSSL 1.1.i and earlier
and 1.1.1 are affected by CVE-2018-0735.
Is it safe to assume that OpenSSL 1.0.2 is not affected by the CVE?

Thank you,

-- misaki

[1] https://www.openssl.org/news/vulnerabilities.html

CVE-2018-0735 (OpenSSL advisory) [Low severity] 29 October 2018:
     The OpenSSL ECDSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use
variations in the signing algorithm to recover the private key. Reported
by Samuel Weiser.

         Fixed in OpenSSL 1.1.1a-dev (git commit) (Affected 1.1.1)
         Fixed in OpenSSL 1.1.0j-dev (git commit) (Affected 1.1.0-1.1.0i)

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.0.2: CVE-2018-0735

Kurt Roeckx
On Tue, Nov 06, 2018 at 04:19:36PM -0600, Misaki Miyashita wrote:
> Hi,
>
> According to the vulnerabilities website[1], OpenSSL 1.1.i and earlier and
> 1.1.1 are affected by CVE-2018-0735.
> Is it safe to assume that OpenSSL 1.0.2 is not affected by the CVE?

My understanding is that the code was not present in 1.0.2. To
address CVE-2018-5407, that code was backported to 1.0.2, but the
fixed version was used.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users