-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: float 99540ec from openssl (CVE-2018-0735) #23950
Conversation
ooops, and cc @nodejs/security |
Please give the reviewers some time to review backports. The 1.0.2 backport wasn't trivial...... |
I can include it in 11.1.0 tomorrow if it is fast-tracked |
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
e5d7aac
to
4addbc7
Compare
Squashed a trivial syntax fix (openssl/openssl#7516) into my commit here, noted in the commit msg Testing @ https://ci.nodejs.org/job/node-test-pull-request/18201/ |
@targos let's not bother with the fast-track on this one, it's very low severity. Will land in a couple of days. |
two more related commits @ #23965 |
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Landed in d8fb81f |
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong. |
Low severity timing vulnerability in ECDSA signature generation. Publicly disclosed but unreleased, pending OpenSSL 1.1.0j.
This is for master, 10.x and 11.x, should cherry-pick without problem.
There is a version of this for 1.0.2 @ openssl/openssl#7513 but as yet it's unreviewed so we shouldn't jump the gun.
I don't think we need to rush a release out for this, but it should certainly go out with whatever the next releases are for 10 and 11, security or standard.
/cc @nodejs/crypto @nodejs/release
Ref: https://www.openssl.org/news/secadv/20181029.txt
Ref: openssl/openssl#7486
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: openssl/openssl@99540ec
Original commit message: