From ${URL} : Description Yuval Yarom and Naomi Benger have reported a weakness in OpenSSL, which can be exploited by malicious, local users to disclose certain sensitive information. The weakness is caused due to an implementation error within the Elliptic Curve Digital Signature Algorithm (ECDSA), which can be exploited to disclose a nonce value and subsequently derive the secret key via the FLUSH+RELOAD Cache side-channel attack. Solution: Fixed in the source code repository. Provided and/or discovered by: Yuval Yarom and Naomi Benger Original Advisory: Yuval Yarom and Naomi Benger: http://eprint.iacr.org/2014/140 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
GLSA together with bug 507074.
1.0.0 branch is affected too, currently masked
This issue was resolved and addressed in GLSA 201404-07 at http://security.gentoo.org/glsa/glsa-201404-07.xml by GLSA coordinator Mikle Kolyada (Zlogene).
Severity is just normal for the most severe openssl bug in history? A3 satisfies GLSA policy requirement, but maybe the policy should be revised itself?
(In reply to Andrew Savchenko from comment #4) > Severity is just normal for the most severe openssl bug in history? > A3 satisfies GLSA policy requirement, but maybe the policy should be revised > itself? Er, the 'most severe openssl bug in history' is the other bug linked in the advisory, not this one. (Even if it was the right one, this has nothing to do with the actual issue, so it being on-topic for the bug is debatable.) At any rate, the issue impact ratings depend on the issue itself, not any other chained events that can be triggered by it, and certainly not media hype. As such, the rating and policy are fine.