Bug 1644364 (CVE-2018-0734) - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
Summary: CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-0734
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1644655 1644366 1644367 1644368 1644370 1644371 1644964 1648764 1708675 1802266 1802267 1802268
Blocks: 1644372
TreeView+ depends on / blocked
 
Reported: 2018-10-30 16:19 UTC by Laura Pardo
Modified: 2022-03-13 15:54 UTC (History)
43 users (show)

Fixed In Version: openssl 1.1.0j-dev, openssl 1.1.1a-dev, openssl 1.0.2q-dev
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:19:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2304 0 None None None 2019-08-06 12:38:36 UTC
Red Hat Product Errata RHSA-2019:3700 0 None None None 2019-11-05 22:05:56 UTC
Red Hat Product Errata RHSA-2019:3932 0 None None None 2019-11-20 16:20:46 UTC
Red Hat Product Errata RHSA-2019:3933 0 None None None 2019-11-20 16:13:12 UTC
Red Hat Product Errata RHSA-2019:3935 0 None None None 2019-11-20 16:08:30 UTC

Description Laura Pardo 2018-10-30 16:19:42 UTC 
A flaw was found in OpenSSL versions from 1.1.0 through 1.1.0i inclusive, from 1.0.2 through 1.0.2p inclusive and version 1.1.1. The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. 


Reference:
https://www.openssl.org/news/secadv/20181030.txt

Upstream Patches:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
https://github.com/openssl/openssl/commit/b96bebacfe814deb99fb64a3ed2296d95c573600
Comment 1 Laura Pardo 2018-10-30 16:22:24 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1644370]
Affects: fedora-all [bug 1644368]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1644366]
Comment 8 errata-xmlrpc 2019-08-06 12:38:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304
Comment 9 Product Security DevOps Team 2019-08-06 19:19:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-0734
Comment 10 errata-xmlrpc 2019-11-05 22:05:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3700 https://access.redhat.com/errata/RHSA-2019:3700
Comment 11 errata-xmlrpc 2019-11-20 16:08:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
Comment 12 errata-xmlrpc 2019-11-20 16:13:05 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
Comment 13 errata-xmlrpc 2019-11-20 16:20:42 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932
Note You need to log in before you can comment on or make changes to this bug.