Bug 245732 (CVE-2007-3108)
Summary: | CVE-2007-3108 openssl: RSA side-channel attack | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> | ||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||||
Severity: | low | Docs Contact: | |||||||||||
Priority: | low | ||||||||||||
Version: | unspecified | CC: | kengert, kreilly, mitr, smithj, tmraz | ||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2013-04-04 21:55:46 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | 250574, 250576, 250577, 250578, 250579, 250580, 250581, 322891 | ||||||||||||
Bug Blocks: | |||||||||||||
Attachments: |
|
Description
Mark J. Cox
2007-06-26 11:42:06 UTC
Created attachment 159337 [details]
Proposed patch for 0.9.8b
Created attachment 159339 [details]
Proposed patch for 0.9.7a
Created attachment 159381 [details]
Proposed patch for 0.9.6 and 0.9.6b
Created attachment 159391 [details]
Proposed patch for 0.9.5a
removing embargo, CERT published http://www.kb.cert.org/vuls/id/724968 see also http://openssl.org/news/patch-CVE-2007-3108.txt Because this change has not been tested in a full upstream OpenSSL release there is some risk that it may introduce unexpected side-effects. Given this issue is not serious, our current plan is as follows: - To include the backported fix in an OpenSSL update ready for RHEL 4.6. This will get testing via beta and give time for more extensive internal testing - To release an async update for OpenSSL for other RHEL platforms at the same time as RHEL4.6 is released This was fixed in Red Hat Enterprise Linux via: Red Hat Enterprise Linux version 2.1: RHSA-2007:0813 Red Hat Enterprise Linux version 3: RHSA-2007:0813 Red Hat Enterprise Linux version 4: RHSA-2007:1003 Red Hat Enterprise Linux version 5: RHSA-2007:0964 Statement: (none) |