[Secure-testing-team] Bug#856114: wolfssl: CVE-2017-6076
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 25 10:27:22 UTC 2017
Source: wolfssl
Version: 3.9.10+dfsg-1
Severity: grave
Tags: upstream security patch fixed-upstream
Hi,
the following vulnerability was published for wolfssl.
CVE-2017-6076[0]:
| In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes
| it easier to extract RSA key information for a malicious user who has
| access to view cache on a machine.
>From the release notes:
Low level fix for potential cache attack on RSA operations. If using
wolfSSL RSA on a server that other users can have access to monitor
the cache, then it is recommended to update wolfSSL. Thanks to Andreas
Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the
initial report.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6076
[1] https://github.com/wolfSSL/wolfssl/commit/345df93978c41da1ac8047a37f1fed5286883d8d
[2] https://github.com/wolfSSL/wolfssl/pull/674
Regards,
Salvatore
More information about the Secure-testing-team
mailing list