Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 4 Feb 2016 11:02:45 +0100
From: Andreas Stieger <astieger@...e.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Socat security advisory 7 - Created new 2048bit DH modulus

Hello,

On 02.02.2016 20:36, cve-assign@...re.org wrote:
> >   In the OpenSSL address implementation the hard coded 1024 bit DH p
> >   parameter was not prime. The effective cryptographic strength of a key
> >   exchange using these parameters was weaker than the one one could
> get by
> >   using a prime p. Moreover, since there is no indication of how these
> >   parameters were chosen, the existence of a trapdoor that makes
> possible
> >   for an eavesdropper to recover the shared secret from a key
> exchange that
> >   uses them cannot be ruled out.
>
> This was sent to the oss-security list as a published advisory, not as
> a CVE ID request. We would expect that one or more parties (e.g.,
> Linux distributions) are planning to re-announce this to a different
> audience in a way that would make at least one CVE ID especially
> useful. Our question is about whether anyone needs two CVE IDs.

SUSE acknowledges that one CVE ID would be useful for the "was not
prime" finding, and would not need a second CVE ID.

SUSE distributions, except for the openSUSE Tumbleweed rolling community
distribution, is not affected:
https://bugzilla.suse.com/show_bug.cgi?id=964843

Andreas

-- 
Andreas Stieger <astieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)




Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ