LibreSSL is vulnerable to an ECDSA P-256 timing attack. Please see the tracker bug 605414 for more details.
Fixed by: https://github.com/libressl-portable/openbsd/commit/3585681bd8ac343b7c357a932c9577988bca86b0 Not yet released/tagged.
git tag --contains b5a26893d97d88 OPENBSD_6_1_BASE libressl-v2.5.1 libressl-v2.5.2 libressl-v2.5.3 libressl-v2.5.4 libressl-v2.5.5 libressl-v2.6.0 libressl-v2.6.1 already fixed and stable in tree. @Maintainers we have SLOTs with affected versions, could you confirm if they are vulnerable? Keywords for dev-libs/libressl: | | u | | a a p a n r s | n | | l m h i p r m m i i s p | e u s | r | p d a p a p c x m i 6 o s 3 a | a s l | e | h 6 r p 6 p 6 8 6 p 8 s c 9 s r | p e o | p | a 4 m a 4 c 4 6 4 s k 2 v 0 h c | i d t | o -------+---------------------------------+----------+------- 2.3.10 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o 0/38 | gentoo -------+---------------------------------+----------+------- 2.4.5 | o ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 # 0/39 | gentoo 2.5.0 | ~ ~ ~ ~ o ~ ~ ~ o ~ o o o o o o | 6 o | gentoo Gentoo Security Padawan ChrisADR
2.3.10 and 2.4.5 sources contain the fix as referenced above. 2.5.0 also solves the leak, but with different logic. Tree does not need cleaned as these ebuild versions are not vulnerable.
