As if we didn't already have enough issues with OpenSSL, what with buffer overrun vulnerabilities in new/recent code*, and more direct coding flaws (pointer free/dereference and such) that were recently announced**. You'd think with the combined wealth and resources of Alphabet/Google, Apple, and Microsoft, they'd find it in their best collective self-interest to fund a project to replace this garbage with some, you know, actually secure code. Sigh! Gilbert * https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-not... ** https://www.openssl.org/news/secadv/20230207.txt https://linuxsecurity.com/features/urgent-openssl-security-advisory https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-... https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities... (Many of the above do mention the side-channel attack too.) On 2023-02-22 1:51 p.m., Trevor Cordes wrote:
Oh joy, "password timing" attacks come to SSL.
e.g. CVE-2022-4304 Published 2023-02-08T20:15:00 A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack.
Begin forwarded message:
Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-a5564c0a3f 2023-02-22 11:06:32.699863 --------------------------------------------------------------------------------
Name : openssl Product : Fedora 36 Version : 3.0.8 Release : 1.fc36
* Thu Feb 9 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-1 - Rebase to upstream version 3.0.8 Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401
-- Gilbert Detillieux E-mail: Gilbert.Detillieux@umanitoba.ca Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/ University of Manitoba Phone: 204-474-8161 Winnipeg MB CANADA R3T 2N2 For best CS dept. service, contact <cs-support@lists.umanitoba.ca>.