Overview

File _patchinfo of Package patchinfo.8332

<patchinfo incident="8332">
  <issue tracker="bnc" id="1087102">VUL-0: CVE-2018-0739: openssl1,openssl,compat-openssl097g,compat-openssl098: Limit ASN.1 constructed types recursive definition depth</issue>
  <issue tracker="bnc" id="1097624">VUL-1: openssl,openssl1,openssl-1_1,openssl-1_0_2: blinding enhancements for ECDSA</issue>
  <issue tracker="bnc" id="1097158">VUL-0: CVE-2018-0732: openssl1,openssl,compat-openssl098: Reject excessively large primes in DH key generation.</issue>
  <issue tracker="bnc" id="1089039">VUL-1: CVE-2018-0737: openssl side channel attacks against RSA keygeneration</issue>
  <issue tracker="bnc" id="1098592">VUL-1: openssl,openssl1,openssl-1_1,openssl-1_0_2: blinding enhancements for DSA</issue>
  <issue tracker="cve" id="2018-0739"/>
  <issue tracker="cve" id="2018-0732"/>
  <issue tracker="cve" id="2018-0737"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>vitezslav_cizek</packager>
  <description>This update for compat-openssl098 fixes the following security issues:

- CVE-2018-0732: During key agreement in a TLS handshake using a DH(E) based
  ciphersuite a malicious server could have sent a very large prime value to the
  client. This caused the client to spend an unreasonably long period of time
  generating a key for this prime resulting in a hang until the client has
  finished. This could be exploited in a Denial Of Service attack (bsc#1097158)
- Blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
- CVE-2018-0737: The RSA Key generation algorithm has been shown to be
  vulnerable to a cache timing side channel attack. An attacker with sufficient
  access to mount cache timing attacks during the RSA key generation process
  could have recovered the private key (bsc#1089039)
- CVE-2018-0739: Constructed ASN.1 types with a recursive definition (such as
  can be found in PKCS7) could eventually exceed the stack given malicious input
  with excessive recursion. This could have resulted in DoS (bsc#1087102).
</description>
  <summary>Security update for compat-openssl098</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places