Date: Thu, 4 Feb 2016 11:02:45 +0100 From: Andreas Stieger <astieger@...e.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Socat security advisory 7 - Created new 2048bit DH modulus Hello, On 02.02.2016 20:36, cve-assign@...re.org wrote: > > In the OpenSSL address implementation the hard coded 1024 bit DH p > > parameter was not prime. The effective cryptographic strength of a key > > exchange using these parameters was weaker than the one one could > get by > > using a prime p. Moreover, since there is no indication of how these > > parameters were chosen, the existence of a trapdoor that makes > possible > > for an eavesdropper to recover the shared secret from a key > exchange that > > uses them cannot be ruled out. > > This was sent to the oss-security list as a published advisory, not as > a CVE ID request. We would expect that one or more parties (e.g., > Linux distributions) are planning to re-announce this to a different > audience in a way that would make at least one CVE ID especially > useful. Our question is about whether anyone needs two CVE IDs. SUSE acknowledges that one CVE ID would be useful for the "was not prime" finding, and would not need a second CVE ID. SUSE distributions, except for the openSUSE Tumbleweed rolling community distribution, is not affected: https://bugzilla.suse.com/show_bug.cgi?id=964843 Andreas -- Andreas Stieger <astieger@...e.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ