oss-sec mailing list archives
Re: CVE request: openssl timing attack
From: Solar Designer <solar () openwall com>
Date: Wed, 6 Jul 2011 10:56:46 +0400
On Mon, Jul 04, 2011 at 09:24:23AM +0200, Tomas Hoger wrote:
On Mon, 4 Jul 2011 02:52:41 +0400 Solar Designer wrote:Question to OpenSSL developers: is the patch given in Billy Bob Brumley and Nicola Tuveri's paper "Remote Timing Attacks Are Still Practical" OK to be used by distros? Basically, I am interested in its "review status" by upstream - reviewed and approved, reviewed but not approved for specific reasons, not sufficiently reviewed. (The patch is tiny, but even tiny changes might have non-obvious implications.)I'm not part of the group you directed this question too, but as I've not seen any upstream developer or list in CC...
Yes, I did not CC. Maybe I should have. I thought that we had some OpenSSL folks in here.
The fix from the paper was committed in openssl CVS within about a week from public disclosure: http://cvs.openssl.org/chngview?cn=20892 However, there were some concerns raised regarding the extra #ifdef wrapping added as part of the commit, which disable the fix by default, and the name suggests #ifndef was probably intended: http://www.mail-archive.com/openssl-dev () openssl org/msg29283.html
This helps. Are you dealing with the issue for Red Hat products? Perhaps you have a Bugzilla entry? Thank you! Alexander
Current thread:
- Re: CVE request: openssl timing attack Solar Designer (Jul 03)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 04)
- Re: CVE request: openssl timing attack Solar Designer (Jul 05)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 06)
- Re: CVE request: openssl timing attack Solar Designer (Jul 09)
- Re: CVE request: openssl timing attack Solar Designer (Jul 05)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 04)