MGASA-2018-0365

Description

Updated openssl packages fix security vulnerabilities Updated openssl packages fix security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732). The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key (CVE-2018-0737).

Affected Systems

• mageia•openssl

  < 1.0.2p-1.mga6

References (6)

• https://advisories.mageia.org/MGASA-2018-0365.html
• https://bugs.mageia.org/show_bug.cgi?id=22934
• https://www.openssl.org/news/secadv/20180416.txt
• https://openwall.com/lists/oss-security/2018/04/16/3
• https://usn.ubuntu.com/3692-1/
• https://usn.ubuntu.com/3628-1/