+++ This bug was initially created as a clone of Bug #245732 +++ The OpenSSL team made the following commit publically to the 0.9.8 head: http://cvs.openssl.org/chngview?cn=16275 This is a possible weakness in OpenSSL which could allow a local user in certain circumstances to divulge information about private keys being used. For example if a server has a SSL web server on it, a local unprivileged user may be able to get hold of the key. I'm not sure in practice how possible this would be; it would rely on a system that isn't doing much else that could interfere with some spy process designed to figure out this information (and probably won't be possible if you have a server handling a lot of traffic, has more than one key, lots of local processes, and so on). It's similar to previous issues and is rated severity=moderate I'm not sure if the OpenSSL team plan to upgrade older versions of OpenSSL or when this will be announced publicly. Please treat as embargoed for now. -- Additional comment from mitr on 2007-07-16 11:55 EST -- Created an attachment (id=159339) Proposed patch for 0.9.7a -- Additional comment from mitr on 2007-07-16 17:53 EST -- Created an attachment (id=159381) Proposed patch for 0.9.6b -- Additional comment from mjc on 2007-08-02 06:08 EST -- removing embargo, CERT published http://www.kb.cert.org/vuls/id/724968 see also http://openssl.org/news/patch-CVE-2007-3108.txt -- Additional comment from mjc on 2007-08-02 06:11 EST -- Because this change has not been tested in a full upstream OpenSSL release there is some risk that it may introduce unexpected side-effects. Given this issue is not serious, our current plan is as follows: - To include the backported fix in an OpenSSL update ready for RHEL 4.6. This will get testing via beta and give time for more extensive internal testing - To release an async update for OpenSSL for other RHEL platforms at the same time as RHEL4.6 is released
*** This bug has been marked as a duplicate of 250580 ***