Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 27 Jun 2016 08:08:14 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: CVE request: MatrixSSL lack of RSA-CRT hardening

MatrixSSL 3.8.3 comes with this fix:

<https://github.com/matrixssl/matrixssl/blob/master/CHANGES.md#validation-of-rsa-signature-creation>

I think this warrants a CVE ID because RSA-CRT key leaks from
MatrixSSL have been observed in practice.  (I'm not sure if the
contributing factor was a bug in the MatrixSSL bignum routines, or
defective hardware.)

(There are some other changes whose description suggests they would
warrant CVE assignment as well, but I have not looked at those.)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ