Join GitHub today
deps: float two (more) OpenSSL patches for DSA vulnerabilities #23965
Build on from #23950 we have two more issues surrounding DSA.
One has a CVE, CVE-2018-0734 @ https://www.openssl.org/news/secadv/20181030.txt
The other runs into OpenSSL's severity-level policy for CVE assignment and doesn't quite make it so we don't have a CVE for it. openssl/openssl#7487
If this is accepted I'll put in a PR for 6 & 8 since they have different patches (for 1.0.2).
FWIW I don't believe any of these rise to much of a meaningful level of severity. We're seeing an expected wave of timing attack vulnerabilities being discovered because this is the hottest area for research right now (for good reason, it's fascinating!). But a lot of them are more academic in nature in that they require very specific circumstances to be able to build a successful attack. And in these cases I don't believe exploits have been published anywhere.
Still worth floating on our releases I reckon though. Erring on the side of security is what the vast majority of our users want to see us do.