A flaw was found in OpenSSL versions from 1.1.0 through 1.1.0i inclusive and version 1.1.1. The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. References: https://www.openssl.org/news/secadv/20181029.txt Upstream Patch: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1644357]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3700 https://access.redhat.com/errata/RHSA-2019:3700
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-0735