FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenSSL -- vulnerability in DSA signing

Affected packages
openssl < 1.0.2_13
libressl < 2.2.9
2.3.0 <= libressl < 2.3.6
libressl-devel < 2.4.1

Details

VuXML ID 6f0529e2-2e82-11e6-b2ec-b499baebfeaf
Discovery 2016-06-09
Entry 2016-06-09
Modified 2016-12-20

The OpenSSL team reports:

Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

References

CVE Name CVE-2016-2178
URL https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2