Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 369753 (CVE-2011-1945) - <dev-libs/openssl-{0.9.8s,1.0.0e}: ECDHE_ECDSA Information Disclosure (CVE-2011-1945)
Summary: <dev-libs/openssl-{0.9.8s,1.0.0e}: ECDHE_ECDSA Information Disclosure (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2011-1945
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-02 09:15 UTC by Benedikt Böhm (RETIRED)
Modified: 2013-12-03 04:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Benedikt Böhm (RETIRED) gentoo-dev 2011-06-02 09:15:37 UTC
From $URL:

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:09:54 UTC
CVE-2011-1945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1945):
  The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
  earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used
  for the ECDHE_ECDSA cipher suite, does not properly implement curves over
  binary fields, which makes it easier for context-dependent attackers to
  determine private keys via a timing attack and a lattice calculation.
Comment 2 Sean Amoss gentoo-dev Security 2012-03-14 21:08:32 UTC
Sorry, not sure how I missed this one before releasing the last OpenSSL GLSA. 

This issue was fixed in dev-libs/openssl-0.9.8s and dev-libs/openssl-1.0.0e:
http://cvs.openssl.org/chngview?cn=20895
http://cvs.openssl.org/chngview?cn=20894

GLSA vote: yes.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-03-15 02:30:03 UTC
GLSA Vote: yes. Request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-12-03 04:27:40 UTC
This issue was resolved and addressed in
 GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml
by GLSA coordinator Chris Reffett (creffett).