Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) #208

anonimal · 2018-04-17T08:02:10Z

This is for our static release builds, regarding our usage of libunbound (RSA/SHA1 required for DNSSEC). RSA also needed for epee(?), and more(?) (? = can @moneromooo-monero or @hyc or others confirm?):

https://www.openssl.org/news/secadv/20180416.txt

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available.

If the next point release is not before they release 1.1.0i / 1.0.2p, then we should release a monero point release with those applicable versions once they are released.

hyc · 2018-04-17T09:04:02Z

Only libunbound had any particular OpenSSL requirement.

fluffypony · 2018-04-17T09:12:35Z

Yes - only needed for libunbound

anonimal · 2018-09-08T23:25:40Z

1.1.0i was released August 14th. The static release binaries should be built against the latest version of openssl.

anonimal · 2018-10-16T21:24:34Z

Should be resolved in the v0.13 series.

anonimal mentioned this issue Jun 12, 2018

Client DoS due to large DH parameter (CVE-2018-0732) #243

Closed

anonimal closed this as completed Oct 16, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) #208

Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) #208

anonimal commented Apr 17, 2018

hyc commented Apr 17, 2018

fluffypony commented Apr 17, 2018

anonimal commented Sep 8, 2018

anonimal commented Oct 16, 2018

Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) #208

Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) #208

Comments

anonimal commented Apr 17, 2018

hyc commented Apr 17, 2018

fluffypony commented Apr 17, 2018

anonimal commented Sep 8, 2018

anonimal commented Oct 16, 2018