Bugzilla – Bug 1113652
VUL-1: CVE-2018-0734: openssl,openssl1,openssl-1_1,openssl-1_0_0,compat-openssl098: Timing vulnerability in DSA signature generation
Last modified: 2022-02-16 20:55:54 UTC
via openssl git commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6 Author: Pauli <paul.dale@oracle.com> Date: Wed Oct 24 07:42:46 2018 +1000 Timing vulnerability in DSA signature generation (CVE-2018-0734). Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7486)
requires bnc#1113742 for SUSE:SLE-12-SP2:Update/openssl
Hi Vítězslav, my investigation suggests that the following codestreams are affected: - SUSE:SLE-15:Update/openssl-1_0_0 - SUSE:SLE-15:Update/openssl-1_1 The situation for SLE12 is a bit confusing though. It seems like upstream added a commit, fixing another side channel issue which got no CVE (see bnc#1113742)
Fix for 1.0.2: https://github.com/openssl/openssl/pull/7513 and there's a non "CVE level" fix: https://github.com/openssl/openssl/pull/7512
Hi Vítězslav, I have to correct myself with the missing patch (i.e. no CVE from bnc#1113742) all codestreams are affected. If the patch for CONSTTIME is added then this patch should probably be applied to all streams too. Sorry about the confusion.
this was added to 1.0.2 branch in openssl: commit 43e6a58d4991a451daf4891ff05a48735df871ac Author: Pauli <paul.dale@oracle.com> Date: Mon Oct 29 08:24:22 2018 +1000 Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7513)
Timing vulnerability in DSA signature generation (CVE-2018-0734) ================================================================ Severity: Low The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.1, 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.1a, OpenSSL 1.1.0j and OpenSSL 1.0.2q when they become available. The fix is also available in commit 8abfe72e8c (for 1.1.1), ef11e19d13 (for 1.1.0) and commit 43e6a58d49 (for 1.0.2) in the OpenSSL git repository. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20181030.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html <https://www.openssl.org/policies/secpolicy.html> Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia
SUSE-SU-2018:3863-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1113651,1113652 CVE References: CVE-2018-0734,CVE-2018-0735 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): openssl-1_1-1.1.0i-4.15.1 SUSE Linux Enterprise Module for Basesystem 15 (src): openssl-1_1-1.1.0i-4.15.1
SUSE-SU-2018:3864-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1101470,1104789,1106197,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-0737,CVE-2018-5407 Sources used: SUSE Linux Enterprise Server 12-SP1-LTSS (src): openssl-1.0.1i-54.20.1
SUSE-SU-2018:3866-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1112209,1113534,1113652,1113742 CVE References: CVE-2018-0734,CVE-2018-5407 Sources used: SUSE OpenStack Cloud 7 (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Server 12-SP3 (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): openssl-1.0.2j-60.46.1 SUSE Linux Enterprise Desktop 12-SP3 (src): openssl-1.0.2j-60.46.1 SUSE Enterprise Storage 4 (src): openssl-1.0.2j-60.46.1 SUSE CaaS Platform ALL (src): openssl-1.0.2j-60.46.1 SUSE CaaS Platform 3.0 (src): openssl-1.0.2j-60.46.1 OpenStack Cloud Magnum Orchestration 7 (src): openssl-1.0.2j-60.46.1
openSUSE-SU-2018:3890-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1113651,1113652 CVE References: CVE-2018-0734,CVE-2018-0735 Sources used: openSUSE Leap 15.0 (src): openssl-1_1-1.1.0i-lp150.3.15.1
openSUSE-SU-2018:3903-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1112209,1113534,1113652,1113742 CVE References: CVE-2018-0734,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): openssl-1.0.2j-32.1
SUSE-SU-2018:3945-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1112209,1113651,1113652 CVE References: CVE-2018-0734,CVE-2018-0735 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): openssl-1_1-1.1.1-2.3.1 SUSE Linux Enterprise Server 12-SP4 (src): openssl-1_1-1.1.1-2.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): openssl-1_1-1.1.1-2.3.1
SUSE-SU-2018:3964-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1104789,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-5407 Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openssl1-1.0.1g-0.58.15.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssl1-1.0.1g-0.58.15.1
SUSE-SU-2018:3989-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1100078,1112209,1113534,1113652,1113742 CVE References: CVE-2018-0734,CVE-2018-5407 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): openssl-1_0_0-1.0.2p-3.3.1 SUSE Linux Enterprise Server 12-SP4 (src): openssl-1_0_0-1.0.2p-3.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): openssl-1_0_0-1.0.2p-3.3.1
openSUSE-SU-2018:4050-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (moderate) Bug References: 1100078,1112209,1113534,1113652,1113742 CVE References: CVE-2018-0734,CVE-2018-5407 Sources used: openSUSE Leap 15.0 (src): openssl-1_0_0-1.0.2p-lp150.2.9.1
SUSE-SU-2018:4068-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1104789,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-5407 Sources used: SUSE Linux Enterprise Server for SAP 12-SP4 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Module for Legacy Software 12 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12-SP4 (src): compat-openssl098-0.9.8j-106.9.1 SUSE Linux Enterprise Desktop 12-SP3 (src): compat-openssl098-0.9.8j-106.9.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64184
openSUSE-SU-2018:4104-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1104789,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): compat-openssl098-0.9.8j-27.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64193
SUSE-SU-2018:4274-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1104789,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-5407 Sources used: SUSE Studio Onsite 1.3 (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Server 11-SP4 (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openssl-0.9.8j-0.106.18.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openssl-0.9.8j-0.106.18.1
This is an autogenerated message for OBS integration: This bug (1113652) was mentioned in https://build.opensuse.org/request/show/662509 Factory / openssl-1_0_0
This is an autogenerated message for OBS integration: This bug (1113652) was mentioned in https://build.opensuse.org/request/show/664387 Factory / nodejs6 https://build.opensuse.org/request/show/664392 Factory / nodejs10
SUSE-SU-2019:0117-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs4-4.9.1-15.17.1 SUSE Enterprise Storage 4 (src): nodejs4-4.9.1-15.17.1
This is an autogenerated message for OBS integration: This bug (1113652) was mentioned in https://build.opensuse.org/request/show/668718 42.3 / mysql-community-server
openSUSE-SU-2019:0088-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): nodejs4-4.9.1-20.1
openSUSE-SU-2019:0138-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 1113652,1122198 CVE References: CVE-2018-0734,CVE-2019-2455,CVE-2019-2481,CVE-2019-2482,CVE-2019-2503,CVE-2019-2507,CVE-2019-2529,CVE-2019-2531,CVE-2019-2534,CVE-2019-2537 Sources used: openSUSE Leap 42.3 (src): mysql-community-server-5.6.43-45.1
SUSE-SU-2019:0395-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): nodejs6-6.16.0-11.21.1 SUSE OpenStack Cloud 7 (src): nodejs6-6.16.0-11.21.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): nodejs6-6.16.0-11.21.1 SUSE Enterprise Storage 4 (src): nodejs6-6.16.0-11.21.1
openSUSE-SU-2019:0234-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630 CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407 Sources used: openSUSE Leap 42.3 (src): nodejs6-6.16.0-18.1
released
SUSE-SU-2018:3864-2: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1101470,1104789,1106197,1110018,1113534,1113652 CVE References: CVE-2016-8610,CVE-2018-0734,CVE-2018-0737,CVE-2018-5407 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): openssl-1.0.1i-54.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1553-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 1089039,1097158,1097624,1098592,1101470,1104789,1106197,1110018,1113534,1113652,1117951,1127080,1131291 CVE References: CVE-2016-8610,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-5407,CVE-2019-1559 Sources used: SUSE Linux Enterprise Server 12-LTSS (src): openssl-1.0.1i-27.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-FU-2022:0445-1: An update that solves 183 vulnerabilities, contains 21 features and has 299 fixes is now available. Category: feature (moderate) Bug References: 1000080,1000117,1000194,1000677,1000742,1001148,1001912,1002585,1002895,1003091,1005246,1009528,1010874,1010966,1011936,1015549,1019637,1021641,1022085,1022086,1022271,1027079,1027610,1027688,1027705,1027908,1028281,1028723,1029523,1029902,1030038,1032118,1032119,1035604,1039469,1040164,1040256,1041090,1042392,1042670,1044095,1044107,1044175,1049186,1049304,1050653,1050665,1055478,1055542,1055825,1056058,1056951,1057496,1062237,1065363,1066242,1066873,1068790,1070737,1070738,1070853,1071905,1071906,1071941,1073310,1073845,1073879,1074247,1076519,1077096,1077230,1078329,1079761,1080301,1081005,1081750,1081751,1082155,1082163,1082318,1083826,1084117,1084157,1085276,1085529,1085661,1087102,1087104,1088573,1089039,1090427,1090765,1090953,1093518,1093917,1094788,1094814,1094883,1095267,1096738,1096937,1097158,1097531,1097624,1098535,1098592,1099308,1099569,1100078,1101246,1101470,1102868,1104789,1106197,1108508,1109882,1109998,1110435,1110869,1110871,1111493,1111622,1111657,1112209,1112357,1113534,1113652,1113742,1113975,1115769,1117951,1118611,1119376,1119416,1119792,1121717,1121852,1122191,1123064,1123185,1123186,1123558,1124885,1125815,1126283,1126318,1127080,1127173,1128146,1128323,1128355,1129071,1129566,1130840,1131291,1132174,1132323,1132455,1132663,1132900,1135009,1136444,1138666,1138715,1138746,1139915,1140255,1141168,1142899,1143033,1143454,1143893,1144506,1149686,1149792,1150003,1150190,1150250,1150895,1153830,1155815,1156677,1156694,1156908,1157104,1157354,1158809,1159235,1159538,1160163,1161557,1161770,1162224,1162367,1162743,1163978,1164310,1165439,1165578,1165730,1165823,1165960,1166139,1166758,1167008,1167501,1167732,1167746,1168480,1168973,1169489,1170175,1170863,1171368,1171561,1172226,1172908,1172928,1173226,1173356,1174009,1174091,1174514,1175729,1176116,1176129,1176134,1176232,1176256,1176257,1176258,1176259,1176262,1176389,1176785,1176977,1177120,1177127,1177559,1178168,1178341,1178670,1179491,1179562,1179630,1179805,1180125,1180781,1181126,1181324,1181944,1182066,1182211,1182244,1182264,1182331,1182333,1182379,1182963,1183059,1183374,1183858,1184505,1185588,1185706,1185748,1186738,1187045,1189521,1190781,1193357,356549,381844,394317,408865,428177,430141,431945,437293,442740,459468,489641,504687,509031,526319,590833,610223,610642,629905,637176,651003,657698,658604,670526,673071,693027,715423,720601,743787,747125,748738,749210,749213,749735,750618,751718,751946,751977,754447,754677,761500,774710,784670,784994,787526,793420,799119,802184,803004,809831,811890,822642,825221,828513,831629,832833,834601,835687,839107,84331,849377,855666,855676,856687,857203,857850,858239,867887,869945,871152,872299,873351,876282,876710,876712,876748,880891,885662,885882,889013,889363,892477,892480,895129,898917,901223,901277,901902,902364,906878,907584,908362,908372,912014,912015,912018,912292,912293,912294,912296,912460,913229,915479,917607,917759,917815,919648,920236,922448,922488,922496,922499,922500,926597,929678,929736,930189,931698,931978,933898,933911,934487,934489,934491,934493,935856,937085,937212,937492,937634,937912,939456,940608,942385,942751,943421,944204,945455,946648,947104,947357,947679,948198,952871,954256,954486,954690,957812,957813,957815,958501,961334,962291,963415,963974,964204,964472,964474,965830,967128,968046,968047,968048,968050,968265,968270,968374,968601,975875,976942,977584,977614,977615,977616,977663,978224,981848,982268,982575,983249,984323,985054,988086,990207,990392,990419,990428,991193,991877,992120,992988,992989,992992,993130,993819,993825,993968,994749,994844,994910,995075,995324,995359,995377,995959,996255,997043,997614,998190,999665,999666,999668 CVE References: CVE-2006-2937,CVE-2006-2940,CVE-2006-3738,CVE-2006-4339,CVE-2006-4343,CVE-2006-7250,CVE-2007-3108,CVE-2007-4995,CVE-2007-5135,CVE-2008-0891,CVE-2008-1672,CVE-2008-5077,CVE-2009-0590,CVE-2009-0591,CVE-2009-0789,CVE-2009-1377,CVE-2009-1378,CVE-2009-1379,CVE-2009-1386,CVE-2009-1387,CVE-2010-0740,CVE-2010-0742,CVE-2010-1633,CVE-2010-2939,CVE-2010-3864,CVE-2010-5298,CVE-2011-0014,CVE-2011-3207,CVE-2011-3210,CVE-2011-3389,CVE-2011-4108,CVE-2011-4576,CVE-2011-4577,CVE-2011-4619,CVE-2011-4944,CVE-2012-0027,CVE-2012-0050,CVE-2012-0845,CVE-2012-0884,CVE-2012-1150,CVE-2012-1165,CVE-2012-2110,CVE-2012-2686,CVE-2012-4929,CVE-2013-0166,CVE-2013-0169,CVE-2013-1752,CVE-2013-4238,CVE-2013-4314,CVE-2013-4353,CVE-2013-6449,CVE-2013-6450,CVE-2014-0012,CVE-2014-0076,CVE-2014-0160,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-1829,CVE-2014-1830,CVE-2014-2667,CVE-2014-3470,CVE-2014-3505,CVE-2014-3506,CVE-2014-3507,CVE-2014-3508,CVE-2014-3509,CVE-2014-3510,CVE-2014-3511,CVE-2014-3512,CVE-2014-3513,CVE-2014-3566,CVE-2014-3567,CVE-2014-3568,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-4650,CVE-2014-5139,CVE-2014-7202,CVE-2014-7203,CVE-2014-8275,CVE-2014-9721,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206,CVE-2015-0209,CVE-2015-0286,CVE-2015-0287,CVE-2015-0288,CVE-2015-0289,CVE-2015-0293,CVE-2015-1788,CVE-2015-1789,CVE-2015-1790,CVE-2015-1791,CVE-2015-1792,CVE-2015-2296,CVE-2015-3194,CVE-2015-3195,CVE-2015-3196,CVE-2015-3197,CVE-2015-3216,CVE-2015-4000,CVE-2016-0702,CVE-2016-0705,CVE-2016-0797,CVE-2016-0798,CVE-2016-0799,CVE-2016-0800,CVE-2016-10745,CVE-2016-2105,CVE-2016-2106,CVE-2016-2107,CVE-2016-2109,CVE-2016-2176,CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7055,CVE-2016-9015,CVE-2017-18342,CVE-2017-3731,CVE-2017-3732,CVE-2017-3735,CVE-2017-3736,CVE-2017-3737,CVE-2017-3738,CVE-2018-0732,CVE-2018-0734,CVE-2018-0737,CVE-2018-0739,CVE-2018-18074,CVE-2018-20060,CVE-2018-5407,CVE-2018-7750,CVE-2019-10906,CVE-2019-11236,CVE-2019-11324,CVE-2019-13132,CVE-2019-1547,CVE-2019-1551,CVE-2019-1559,CVE-2019-1563,CVE-2019-20907,CVE-2019-20916,CVE-2019-5010,CVE-2019-6250,CVE-2019-8341,CVE-2019-9740,CVE-2019-9947,CVE-2020-14343,CVE-2020-15166,CVE-2020-15523,CVE-2020-15801,CVE-2020-1747,CVE-2020-1971,CVE-2020-25659,CVE-2020-26137,CVE-2020-27783,CVE-2020-28493,CVE-2020-29651,CVE-2020-36242,CVE-2020-8492,CVE-2021-23336,CVE-2021-23840,CVE-2021-23841,CVE-2021-28957,CVE-2021-29921,CVE-2021-3177,CVE-2021-33503,CVE-2021-3426,CVE-2021-3712 JIRA References: ECO-3105,SLE-11435,SLE-12684,SLE-12986,SLE-13688,SLE-14253,SLE-15159,SLE-15860,SLE-15861,SLE-16754,SLE-17532,SLE-17957,SLE-18260,SLE-18354,SLE-18446,SLE-19264,SLE-3887,SLE-4480,SLE-4577,SLE-7686,SLE-9135 Sources used: SUSE Manager Tools 12-BETA (src): venv-salt-minion-3002.2-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.