From $URL: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
CVE-2011-1945 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1945): The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Sorry, not sure how I missed this one before releasing the last OpenSSL GLSA. This issue was fixed in dev-libs/openssl-0.9.8s and dev-libs/openssl-1.0.0e: http://cvs.openssl.org/chngview?cn=20895 http://cvs.openssl.org/chngview?cn=20894 GLSA vote: yes.
GLSA Vote: yes. Request filed.
This issue was resolved and addressed in GLSA 201312-03 at http://security.gentoo.org/glsa/glsa-201312-03.xml by GLSA coordinator Chris Reffett (creffett).
