Date: Wed, 6 Jul 2011 12:51:39 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: openssl timing attack On Wed, 6 Jul 2011 10:56:46 +0400 Solar Designer wrote: > > The fix from the paper was committed in openssl CVS within about a > > week from public disclosure: > > > > http://cvs.openssl.org/chngview?cn=20892 > > > > However, there were some concerns raised regarding the extra #ifdef > > wrapping added as part of the commit, which disable the fix by > > default, and the name suggests #ifndef was probably intended: > > > > http://firstname.lastname@example.org/msg29283.html > > This helps. > > Are you dealing with the issue for Red Hat products? Perhaps you > have a Bugzilla entry? We have bugzilla (as usual, use CVE as a bug id), but not too useful for other distros, as it only says we're not affected. All EC crypto is one of the "patent or otherwise encumbered" code pieces that are removed and not compiled in. http://pkgs.fedoraproject.org/gitweb/?p=openssl.git;a=blob;f=hobble-openssl;h=a8be844f6ba7654b5738ae0e27e192a38797bd74;hb=master -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.