Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: openssl timing attack
From: Solar Designer <solar () openwall com>
Date: Wed, 6 Jul 2011 10:56:46 +0400

On Mon, Jul 04, 2011 at 09:24:23AM +0200, Tomas Hoger wrote:
On Mon, 4 Jul 2011 02:52:41 +0400 Solar Designer wrote:

Question to OpenSSL developers: is the patch given in Billy Bob
Brumley and Nicola Tuveri's paper "Remote Timing Attacks Are Still
Practical" OK to be used by distros?  Basically, I am interested in
its "review status" by upstream - reviewed and approved, reviewed but
not approved for specific reasons, not sufficiently reviewed.  (The
patch is tiny, but even tiny changes might have non-obvious
implications.)

I'm not part of the group you directed this question too, but as I've
not seen any upstream developer or list in CC...

Yes, I did not CC.  Maybe I should have.  I thought that we had some
OpenSSL folks in here.

The fix from the paper was committed in openssl CVS within about a week
from public disclosure:

http://cvs.openssl.org/chngview?cn=20892

However, there were some concerns raised regarding the extra #ifdef
wrapping added as part of the commit, which disable the fix by default,
and the name suggests #ifndef was probably intended:

http://www.mail-archive.com/openssl-dev () openssl org/msg29283.html

This helps.

Are you dealing with the issue for Red Hat products?  Perhaps you have a
Bugzilla entry?

Thank you!

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]