root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add CHANGES.md and NEWS.md updates for CVE-2024-13176 

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)

(cherry picked from commit c3144e1025)
This commit is contained in:
Tomas Mraz 2025-01-15 18:29:52 +01:00
parent 2af62e74fb
commit 7d8a8c20e1
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CHANGES.md
View File

@ -24,6 +24,19 @@ OpenSSL 3.1
### Changes between 3.1.7 and 3.1.8 [xx XXX xxxx]
* Fixed timing side-channel in ECDSA signature computation.
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.
([CVE-2024-13176])
*Tomáš Mráz*
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
@ -20064,6 +20077,7 @@ ndif
<!-- Links -->
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535

4
NEWS.md
View File

@ -26,6 +26,9 @@ release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed timing side-channel in ECDSA signature computation.
([CVE-2024-13176])
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])
@ -1522,6 +1525,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535