PolarSSL's RSA implementation was found to have a bias in the implementation of Montgomery multiplication. It can be used to mount an attack on RSA key.
Here, a third party can send arbitrary handshake messages to the server. If correctly executed, this attack could reveal the entire private RSA key after a large number of attack messages are sent to show the timing differences.
There is a known workaround to Disable CRT (#define POLARSSL_RSA_NO_CRT) in config.h. The code will be much slower, but unaffected by this attack, but best is to upgrade to either 1.2.9 or 1.3.0.
Created polarssl tracking bugs for this issue:
Affects: fedora-all [bug 1015947]
Further improved in 1.2.10 to make it thread-safe:
All fedora versions already had 1.2.9 in testing when this was filed. It would be nice if your automatic tools were a bit smarter.
polarssl-1.2.10-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
polarssl-1.2.10-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.