Bug 1644364 (CVE-2018-0734) - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
Summary: CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-0734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1644368 1644655 1644366 1644367 1644370 1644371 1644964 1648764 1708675 1802266 1802267 1802268
Blocks: 1644372
TreeView+ depends on / blocked
 
Reported: 2018-10-30 16:19 UTC by Laura Pardo
Modified: 2020-02-12 18:31 UTC (History)
43 users (show)

Fixed In Version: openssl 1.1.0j-dev, openssl 1.1.1a-dev, openssl 1.0.2q-dev
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:19:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2304 None None None 2019-08-06 12:38:36 UTC
Red Hat Product Errata RHSA-2019:3700 None None None 2019-11-05 22:05:56 UTC
Red Hat Product Errata RHSA-2019:3932 None None None 2019-11-20 16:20:46 UTC
Red Hat Product Errata RHSA-2019:3933 None None None 2019-11-20 16:13:12 UTC
Red Hat Product Errata RHSA-2019:3935 None None None 2019-11-20 16:08:30 UTC

Description Laura Pardo 2018-10-30 16:19:42 UTC
A flaw was found in OpenSSL versions from 1.1.0 through 1.1.0i inclusive, from 1.0.2 through 1.0.2p inclusive and version 1.1.1. The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. 


Reference:
https://www.openssl.org/news/secadv/20181030.txt

Upstream Patches:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
https://github.com/openssl/openssl/commit/b96bebacfe814deb99fb64a3ed2296d95c573600

Comment 1 Laura Pardo 2018-10-30 16:22:24 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1644370]
Affects: fedora-all [bug 1644368]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1644366]

Comment 8 errata-xmlrpc 2019-08-06 12:38:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304

Comment 9 Product Security DevOps Team 2019-08-06 19:19:59 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-0734

Comment 10 errata-xmlrpc 2019-11-05 22:05:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3700 https://access.redhat.com/errata/RHSA-2019:3700

Comment 11 errata-xmlrpc 2019-11-20 16:08:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935

Comment 12 errata-xmlrpc 2019-11-20 16:13:05 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933

Comment 13 errata-xmlrpc 2019-11-20 16:20:42 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932


Note You need to log in before you can comment on or make changes to this bug.