Bug 1080276 (CVE-2014-0076)
Summary: | CVE-2014-0076 openssl: ECDSA nonces susceptible to Yarom/Benger flush+reload cache side-channel attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | erik-fedora, jkurik, ktietz, lfarkas, pfrields, rjones, tmraz, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-03-25 09:16:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1080277 | ||
Bug Blocks: | 1080278 |
Description
Murray McAllister
2014-03-25 04:12:43 UTC
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1080277] Some initial discussion at: http://marc.info/?l=openssl-dev&m=139356963720432&w=2 We do not ship support for GF2m EC curves in RHEL and Fedora so we are not affected by this concrete issue. However note that there are probably similar side-channel attacks against the GFp EC curves implementations which we ship since RHEL-6.5. There is no upstream fix for these though. Version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5 is not vulnerable, because it does not have support for ECC. Version of openssl and openssl098e as shipped with Red Hat Enterprise Linux 6 is not vulnerable, because we do NOT ship support for the GF2m EC curve as mentioned in comment #6 Statement: Not vulnerable. This issue does not affect the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of openssl and openssl098e as shipped with Red Hat Enterprise Linux 6 or 7. This issue does not affect the version of openssl and mingw-openssl as shipped with Fedora 19 and Fedora 20. This issue does not affect the version of mingw32-openssl as shipped with EPEL-5. |