Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: openssl timing attack
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 6 Jul 2011 12:51:39 +0200

On Wed, 6 Jul 2011 10:56:46 +0400 Solar Designer wrote:

The fix from the paper was committed in openssl CVS within about a
week from public disclosure:

http://cvs.openssl.org/chngview?cn=20892

However, there were some concerns raised regarding the extra #ifdef
wrapping added as part of the commit, which disable the fix by
default, and the name suggests #ifndef was probably intended:

http://www.mail-archive.com/openssl-dev () openssl org/msg29283.html

This helps.

Are you dealing with the issue for Red Hat products?  Perhaps you
have a Bugzilla entry?

We have bugzilla (as usual, use CVE as a bug id), but not too useful
for other distros, as it only says we're not affected.  All EC crypto is
one of the "patent or otherwise encumbered" code pieces that are removed
and not compiled in.

http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=blob;f=hobble-openssl;h=a8be844f6ba7654b5738ae0e27e192a38797bd74;hb=master

-- 
Tomas Hoger / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault