From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
	Crypto Libraries
Date: Thu, 14 Jun 2018 16:06:08 -0400
Message-ID: <20180614200608.GA8617@jasmine.lan>
References: <20180614192211.GA21522@jasmine.lan>
	<20180614195049.GB4039@jasmine.lan>
	<CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37160)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTYWQ-0003Wg-Ve
	for bug-guix@gnu.org; Thu, 14 Jun 2018 16:07:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTYWM-0000gZ-Ex
	for bug-guix@gnu.org; Thu, 14 Jun 2018 16:07:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:40595)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fTYWL-0000gC-Vw
	for bug-guix@gnu.org; Thu, 14 Jun 2018 16:07:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fTYWL-0002br-N9
	for bug-guix@gnu.org; Thu, 14 Jun 2018 16:07:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.31831.B31831.15290067729959@debbugs.gnu.org>
Content-Disposition: inline
In-Reply-To: <CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@mail.gmail.com>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: =?UTF-8?Q?G=C3=A1bor?= Boskovits <boskovits@gmail.com>
Cc: 31831@debbugs.gnu.org


--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days
ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

--LQksG6bCIzRHxTLp
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlsiyrAACgkQJkb6MLrK
fwiL6xAAhUiFkoZifXJnnhd8JWO0UJnD856DvXoIWeXsVfVY2IOJH28UQ/LznHsz
PrkUi2sJ0X/CsRBLd7GCjxc/lhVVRCBUfz1pQ4Pzg62lqvmaNnZtTLSn8c4kYOGP
Yl+/wP7PC4KBRupYecLPjElKFjNG02xbhILrUc7/hKNKNxMBkuezQniPgwjiC9jq
apKYFfRaJ+yHEmH6wl1TygowdUsZHFKR9UsJ+tc9B55m1AzA5R/QPBI+kIkTZDKv
Lk02msrIGKaheZcfON4PKhLJz8MMT944qA9E24PRiOlwSuOEnCKwkW9RV0hv1hBA
RKZTJEFvjInT+nSUV7ZjlM3hrrx14xGaMM8tsK6RCf6ULO30XCkjEnnGkn/pHhzM
b51LwSWFNVtJa/W5e343G8p/06GTNYWOFofaAxPOOyxi03s7GQLTr9/W+e/Klo0s
sc/f5CRmSUU9KYwUt6V1FB4Pr6u2yPXMrcfzKI8l1i0z3iNEwT0+JW+4BG7N/w2Q
yqX6jevzGpAMDwzHLXDC3gV/Z0hWBQUEu6noUEO2gNamt87GFMjwdSGOnOmouoM2
PE2l/7AXjAUI5hWIkeNg3+MaC15crjCGLMwhL2b+H7onJnNnLfOh5l1GMme8qd3r
aIjG08bZacT7UOtKwZpxTumoqEETtjXA2OBzcX7n+qH6utMpnUI=
=lK6a
-----END PGP SIGNATURE-----

--LQksG6bCIzRHxTLp--