FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- Multiple vulnerabilities in 1.1 branch

Affected packages
openssl-devel < 1.1.0i_1
openssl111 < 1.1.1_2
2.8.0 <= libressl < 2.8.3
2.8.0 <= libressl-devel < 2.8.3

Details

VuXML ID 238ae7de-dba2-11e8-b713-b499baebfeaf
Discovery 2018-10-29
Entry 2018-10-29
Modified 2018-11-10

The OpenSSL project reports:

Timing vulnerability in ECDSA signature generation (CVE-2018-0735): The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key (Low).

Timing vulnerability in DSA signature generation (CVE-2018-0734): Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack (Low).

References

CVE Name CVE-2018-0734
CVE Name CVE-2018-0735
URL https://github.com/openssl/openssl/commit/8abfe72e
URL https://www.openssl.org/news/secadv/20181029.txt