Joined: 12 May 2004
|Posted: Wed Dec 07, 2016 11:26 am Post subject: [ GLSA 201612-16 ] OpenSSL
|Gentoo Linux Security Advisory
Title: OpenSSL: Multiple vulnerabilities (GLSA 201612-16)
Exploitable: local, remote
Date: December 07, 2016
Bug(s): #581234, #585142, #585276, #591454, #592068, #592074, #592082, #594500, #595186
Multiple vulnerabilities have been found in OpenSSL, the worst of
which allows attackers to conduct a time based side-channel attack.
OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.
Vulnerable: < 1.0.2j
Unaffected: >= 1.0.2j
Architectures: All supported architectures
Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers and the International Association for Cryptologic
Research’s (IACR) paper, “Make Sure DSA Signing Exponentiations
Really are Constant-Time” for further details.
Remote attackers could cause a Denial of Service condition or have other
unspecified impacts. Additionally, a time based side-channel attack may
allow a local attacker to recover a private DSA key.
There is no known workaround at this time.
All OpenSSL users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/openssl-1.0.2j"
Make Sure DSA Signing
Exponentiations Really are Constant-Time
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum