-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) #24353
Conversation
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Ref: openssl/openssl#7549 Ref: nodejs#24353 Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)
@rvagg adding the backport-requested labels will prevent these from being pulled into a release automatically. If they can not be backported, the releasing person will add the label to indicate that a manual backport is required. |
@nodejs/crypto @nodejs/security Would be great to get some reviews for this one-liner. |
Landed in 323a365. |
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a constant-time calculation for one of the variables. This introduces a fix for that. Upstream: openssl/openssl@26d7fce1 Original commit message: Add a constant time flag to one of the bignums to avoid a timing leak. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from openssl/openssl#7549) (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239) PR-URL: #24353 Refs: openssl/openssl#7549 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong. |
yes correct @targos, those labels are appropriate thanks |
The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.
Ref: openssl/openssl#7549
Upstream: openssl/openssl@26d7fce1
This is for 1.1.0, so can go in to 11 and 10. I'll do a separate one for 1.0.2.
@nodejs/crypto