From 5ca47910a7b5b7fd19422ed6311a391d68c56e95 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 20 Nov 2018 16:28:52 +0000 Subject: [PATCH] openssl-compat: Update to 1.0.2q *) Microarchitecture timing vulnerability in ECC scalar multiplication OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. (CVE-2018-5407) [Billy Brumley] *) Timing vulnerability in DSA signature generation The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. (CVE-2018-0734) [Paul Dale] *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode. [Nicola Tuveri] Signed-off-by: Michael Tremer --- lfs/openssl-compat | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssl-compat b/lfs/openssl-compat index 1dcb829e50..062f85fdbc 100644 --- a/lfs/openssl-compat +++ b/lfs/openssl-compat @@ -24,7 +24,7 @@ include Config -VER = 1.0.2p +VER = 1.0.2q THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -84,7 +84,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ac5eb30bf5798aa14b1ae6d0e7da58df +$(DL_FILE)_MD5 = 7563e1ce046cb21948eeb6ba1a0eb71c install : $(TARGET) -- 2.39.2