CVE-2024-13176: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. The above will be fixed in: 3.3.3, 3.2.4, 3.1.8, and 3.0.16. The fix is also available in commit 77c608f4 (for 3.4), commit 392dcb33 (for 3.3), commit 4b1cb94 (for 3.2), commit 2af62e74 (for 3.1) and commit 07272b05 (for 3.0) in the OpenSSL git repository.
Releases are out now.
I've started bumping these but may not finish until later.
commit ca397f75d7bb3124b8cc8faff1c27790c2b55764 Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Feb 11 08:10:56 2025 -0800 dev-libs/openssl: add 3.3.3 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> commit 26b201c972381ff1325091061a4ad899c74a918d Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Feb 11 08:45:58 2025 -0800 dev-libs/openssl: add 3.2.4 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> commit ed25cc8ff17852978ca5c15741cf9ee72d0ecbed Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Feb 11 09:02:02 2025 -0800 dev-libs/openssl: add 3.1.8 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> commit ed25cc8ff17852978ca5c15741cf9ee72d0ecbed Author: Patrick McLean <chutzpah@gentoo.org> Date: Tue Feb 11 09:02:02 2025 -0800 dev-libs/openssl: add 3.1.8 Signed-off-by: Patrick McLean <chutzpah@gentoo.org>