CVE-2018-0737 (https://nvd.nist.gov/vuln/detail/CVE-2018-0737): The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30945a68d3d4c98433363ed73475b8233ac02118 commit 30945a68d3d4c98433363ed73475b8233ac02118 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-04-17 20:50:09 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-04-17 20:50:30 +0000 dev-libs/openssl: Rev bump to add patch for CVE-2018-0737 Bug: https://bugs.gentoo.org/653434 Package-Manager: Portage-2.3.28, Repoman-2.3.9 dev-libs/openssl/Manifest | 1 + .../files/openssl-1.1.0h-CVE-2018-0737.patch | 31 +++ dev-libs/openssl/openssl-1.0.2o-r1.ebuild | 251 ++++++++++++++++++ dev-libs/openssl/openssl-1.1.0h-r1.ebuild | 284 +++++++++++++++++++++ 4 files changed, 567 insertions(+)}
This issue was resolved and addressed in GLSA 201811-21 at https://security.gentoo.org/glsa/201811-21 by GLSA coordinator Aaron Bauman (b-man).
