| Summary: | <dev-libs/libressl-{2.3.10,2.4.5,2.5.4,2.6.1}: ECDSA P-256 timing attack key recovery (CVE-2016-7056) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | libressl |
| Priority: | Low | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 605414 | ||
|
Description
Thomas Deutschmann (RETIRED)
2017-01-11 21:55:55 UTC
Fixed by: https://github.com/libressl-portable/openbsd/commit/3585681bd8ac343b7c357a932c9577988bca86b0 Not yet released/tagged. git tag --contains b5a26893d97d88
OPENBSD_6_1_BASE
libressl-v2.5.1
libressl-v2.5.2
libressl-v2.5.3
libressl-v2.5.4
libressl-v2.5.5
libressl-v2.6.0
libressl-v2.6.1
already fixed and stable in tree.
@Maintainers we have SLOTs with affected versions, could you confirm if they are vulnerable?
Keywords for dev-libs/libressl:
| | u |
| a a p a n r s | n |
| l m h i p r m m i i s p | e u s | r
| p d a p a p c x m i 6 o s 3 a | a s l | e
| h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p
| a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o
-------+---------------------------------+----------+-------
2.3.10 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o 0/38 | gentoo
-------+---------------------------------+----------+-------
2.4.5 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 # 0/39 | gentoo
2.5.0 | ~ ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o | gentoo
Gentoo Security Padawan
ChrisADR
2.3.10 and 2.4.5 sources contain the fix as referenced above. 2.5.0 also solves the leak, but with different logic. Tree does not need cleaned as these ebuild versions are not vulnerable. |
