Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110706125139.3e4b6d0f@redhat.com>
Date: Wed, 6 Jul 2011 12:51:39 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: openssl timing attack

On Wed, 6 Jul 2011 10:56:46 +0400 Solar Designer wrote:

> > The fix from the paper was committed in openssl CVS within about a
> > week from public disclosure:
> > 
> > http://cvs.openssl.org/chngview?cn=20892
> > 
> > However, there were some concerns raised regarding the extra #ifdef
> > wrapping added as part of the commit, which disable the fix by
> > default, and the name suggests #ifndef was probably intended:
> > 
> > http://www.mail-archive.com/openssl-dev@openssl.org/msg29283.html
> 
> This helps.
> 
> Are you dealing with the issue for Red Hat products?  Perhaps you
> have a Bugzilla entry?

We have bugzilla (as usual, use CVE as a bug id), but not too useful
for other distros, as it only says we're not affected.  All EC crypto is
one of the "patent or otherwise encumbered" code pieces that are removed
and not compiled in.

http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=blob;f=hobble-openssl;h=a8be844f6ba7654b5738ae0e27e192a38797bd74;hb=master

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.