Debian 8: DLA-1932-1 Urgent: OpenSSL Security Fix to Mitigate Attacks
debian lts
September 25, 2019
Two security vulnerabilities were found in OpenSSL, the Secure Sockets Layer toolkit
Topics Covered
Summary
Normally in OpenSSL EC groups always have a co-factor present and
this is used in side channel resistant code paths. However, in some
cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that
such a group does not have the cofactor present. This can occur even
where all the parameters match a known named curve. If such a curve
is used then OpenSSL falls back to non-side channel resistant code
paths which may result in full key recovery during an ECDSA
signature operation. In order to be vulnerable an attacker
would have to have the ability to time the creation of a large
number of signatures where explicit parameters with no co-factor
present are in use by an application using libcrypto. For the
avoidance of doubt libssl is not vulnerable because explicit
parameters are never used.
CVE-2019-1563
In situations where an attacker receives automated notification of
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: openssl
Version: 1.0.1t-1+deb8u12
CVE ID: CVE-2019-1547 CVE-2019-1563
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!