CVE-2018-0734

Source
Severity Low
Remote Yes
Type Private key recovery
Description
A timing vulnerability has been found in DSA signature generation in openssl versions up to and including 1.1.1, where information is leaked via a side channel when a BN is resized and could lead to private key recovery.
Group Package Affected Fixed Severity Status Ticket
AVG-807 openssl-1.0 1.0.2.p-1 1.0.2.q-1 Low Fixed
AVG-806 lib32-openssl-1.0 1.0.2.p-1 1.0.2.q-1 Low Fixed
AVG-793 lib32-openssl 1:1.1.1-1 1:1.1.1.a-1 Low Fixed
AVG-792 openssl 1.1.1-1 1.1.1.a-1 Low Fixed
Date Advisory Group Package Severity Description
08 Dec 2018 ASA-201812-8 AVG-807 openssl-1.0 Low private key recovery
08 Dec 2018 ASA-201812-7 AVG-806 lib32-openssl-1.0 Low private key recovery
08 Dec 2018 ASA-201812-6 AVG-793 lib32-openssl Low private key recovery
08 Dec 2018 ASA-201812-5 AVG-792 openssl Low private key recovery
References
https://www.openssl.org/news/secadv/20181030.txt
https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
https://github.com/openssl/openssl/pull/7486