Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 369753 (CVE-2011-1945)

Summary: <dev-libs/openssl-{0.9.8s,1.0.0e}: ECDHE_ECDSA Information Disclosure (CVE-2011-1945)
Product: Gentoo Security Reporter: Benedikt Böhm (RETIRED) <hollow>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alexanderyt, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1945
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Benedikt Böhm (RETIRED) gentoo-dev 2011-06-02 09:15:37 UTC
From $URL:

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:09:54 UTC
CVE-2011-1945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1945):
  The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
  earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used
  for the ECDHE_ECDSA cipher suite, does not properly implement curves over
  binary fields, which makes it easier for context-dependent attackers to
  determine private keys via a timing attack and a lattice calculation.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-14 21:08:32 UTC
Sorry, not sure how I missed this one before releasing the last OpenSSL GLSA. 

This issue was fixed in dev-libs/openssl-0.9.8s and dev-libs/openssl-1.0.0e:
http://cvs.openssl.org/chngview?cn=20895
http://cvs.openssl.org/chngview?cn=20894

GLSA vote: yes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-03-15 02:30:03 UTC
GLSA Vote: yes. Request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:27:40 UTC
This issue was resolved and addressed in
 GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml
by GLSA coordinator Chris Reffett (creffett).