Date: Thu, 22 Mar 2018 13:09:29 +0100 From: zugtprgfwprz@...rnkuller.de To: oss-security@...ts.openwall.com Subject: Re: OpenSSL: bug in modular exponentiation Hi Guido, On 20.03.2018 22:34, Guido Vranken wrote: > My bignum fuzzer (https://github.com/guidovranken/bignum-fuzzer) > running on Google's oss-fuzz recently found a bug in affecting > constant-time modular exponentiation. Interesting -- could you confirm that the effect of this bug is a miscalculation? Or is it breaking the constant-time assertion? > OpenSSL does not treat this as a security vulnerability. This is a > heads-up to developers who rely on the affected code so they can > review the impact on their applications on a case-by-case basis. Do you have a pointer as to where this was discussed? Do you consider it a security vulnerability? Can you give advice to developers of how to mitigate this kind of issue? Is it regarded a WONTFIX by OpenSSL or is it going to be fixed (just not treated as security-criticial)? If so, do you know the fix version? Cheers and best regards, Johannes
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ