oss-sec mailing list archives
Re: CVE request: openssl timing attack
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 6 Jul 2011 12:51:39 +0200
On Wed, 6 Jul 2011 10:56:46 +0400 Solar Designer wrote:
The fix from the paper was committed in openssl CVS within about a week from public disclosure: http://cvs.openssl.org/chngview?cn=20892 However, there were some concerns raised regarding the extra #ifdef wrapping added as part of the commit, which disable the fix by default, and the name suggests #ifndef was probably intended: http://www.mail-archive.com/openssl-dev () openssl org/msg29283.htmlThis helps. Are you dealing with the issue for Red Hat products? Perhaps you have a Bugzilla entry?
We have bugzilla (as usual, use CVE as a bug id), but not too useful for other distros, as it only says we're not affected. All EC crypto is one of the "patent or otherwise encumbered" code pieces that are removed and not compiled in. http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=blob;f=hobble-openssl;h=a8be844f6ba7654b5738ae0e27e192a38797bd74;hb=master -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE request: openssl timing attack Solar Designer (Jul 03)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 04)
- Re: CVE request: openssl timing attack Solar Designer (Jul 05)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 06)
- Re: CVE request: openssl timing attack Solar Designer (Jul 09)
- Re: CVE request: openssl timing attack Solar Designer (Jul 05)
- Re: CVE request: openssl timing attack Tomas Hoger (Jul 04)