oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Socat security advisory 7 - Created new 2048bit DH modulus

From: Andreas Stieger <astieger () suse com>
Date: Thu, 4 Feb 2016 11:02:45 +0100
Hello,

On 02.02.2016 20:36, cve-assign () mitre org wrote:

  In the OpenSSL address implementation the hard coded 1024 bit DH p
  parameter was not prime. The effective cryptographic strength of a key
  exchange using these parameters was weaker than the one one could

get by

  using a prime p. Moreover, since there is no indication of how these
  parameters were chosen, the existence of a trapdoor that makes

possible

  for an eavesdropper to recover the shared secret from a key

exchange that

  uses them cannot be ruled out.


This was sent to the oss-security list as a published advisory, not as
a CVE ID request. We would expect that one or more parties (e.g.,
Linux distributions) are planning to re-announce this to a different
audience in a way that would make at least one CVE ID especially
useful. Our question is about whether anyone needs two CVE IDs.


SUSE acknowledges that one CVE ID would be useful for the "was not
prime" finding, and would not need a second CVE ID.

SUSE distributions, except for the openSUSE Tumbleweed rolling community
distribution, is not affected:
https://bugzilla.suse.com/show_bug.cgi?id=964843

Andreas

-- 
Andreas Stieger <astieger () suse com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: