Bug 1180240 (CVE-2014-3570)
Summary: | CVE-2014-3570 openssl: Bignum squaring may produce incorrect results | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, cdewolf, chazlett, chrisw, dandread, darran.lofthouse, erich, grocha, jason.greene, jawilson, jclere, jdoyle, john.haxby, lgao, myarboro, nlevinki, pgier, pslavice, rfortier, rhs-bugs, rsvoboda, ssaha, tmraz, vbellur, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd | Doc Type: | Bug Fix |
Doc Text: |
It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:37:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1181013, 1181015, 1181016, 1181017, 1181018, 1182870, 1182871, 1182872 | ||
Bug Blocks: | 1180194, 1192260, 1192263, 1212496 |
Description
Vasyl Kaigorodov
2015-01-08 17:01:01 UTC
Upstream commit that looks to fix the problem: https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0 External References: https://www.openssl.org/news/secadv_20150108.txt Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1181013] openssl-1.0.1k-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. openssl-1.0.1e-41.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html Statement: This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates. This issue affects the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. |