ELSA-2018-3221

Опубликовано: 05 нояб. 2018

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2018-3221: openssl security, bug fix, and enhancement update (MODERATE)

[1.0.2k-16.0.1]

sha256 is used for the RSA pairwise consistency test instead of sha1

[1.0.2k-16]

fix CVE-2018-0495 - ROHNP - Key Extraction Side Channel on DSA, ECDSA
fix incorrect error message on FIPS DSA parameter generation (#1603597)

[1.0.2k-14]

ppc64le is not multilib architecture (#1585004)

[1.0.2k-13]

add S390x assembler updates
make CA name list comparison function case sensitive (#1548401)
fix CVE-2017-3735 - possible one byte overread with X.509 IPAdressFamily
fix CVE-2018-0732 - large prime DH DoS of TLS client
fix CVE-2018-0737 - RSA key generation cache timing vulnerability
fix CVE-2018-0739 - stack overflow parsing recursive ASN.1 structure

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

openssl

1.0.2k-16.0.1.el7

openssl-devel

1.0.2k-16.0.1.el7

openssl-libs

1.0.2k-16.0.1.el7

openssl-perl

1.0.2k-16.0.1.el7

openssl-static

1.0.2k-16.0.1.el7

Oracle Linux x86_64

openssl

1.0.2k-16.0.1.el7

openssl-devel

1.0.2k-16.0.1.el7

openssl-libs

1.0.2k-16.0.1.el7

openssl-perl

1.0.2k-16.0.1.el7

openssl-static

1.0.2k-16.0.1.el7

Связанные CVE

Ссылки на источники

Связанные уязвимости

CVE-2018-0495

CVSS3: 4.7

ubuntu

около 7 лет назад

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.