The RSA-CRT implementation in PolarSSL before 1.2.9 does not properly
perform Montgomery multiplication, which might allow remote attackers to
conduct a timing side-channel attack and retrieve RSA private keys.
Version Prior to PolarSSL 1.2.9 and 1.3.0 are affected.
PolarSSL recommends upgrade to 1.3.0 (In URL)"We strongly advise you to consider upgrading to the 1.3 branch if outside parties are present or can connect to your network."
Thomas are you ready to stabilize 1.3.0?
arches, please stabilize:
target keywords="amd64 arm hppa ppc ppc64 ~s390 sparc x86 ~amd64-fbsd ~x86-fbsd"
Stable for HPPA.
Added to existing GLSA draft, should be ready to send after this bug is [glsa].
old version removed
This issue was resolved and addressed in
GLSA 201310-10 at http://security.gentoo.org/glsa/glsa-201310-10.xml
by GLSA coordinator Sergey Popov (pinkbyte).
you broke a stable reverse dep (media-sound/umurmur) and did not notify me about this
do people still not test reverse deps of libraries? Sure this is a security bug. But there would have been a solution, like masking "polarssl" useflag in media-sound/umurmur.