[ GLSA 201612-16 ] OpenSSL

[GLSA]

Gentoo Linux Security Advisory

Title: OpenSSL: Multiple vulnerabilities (GLSA 201612-16)
Severity: normal
Exploitable: local, remote
Date: December 07, 2016
Bug(s): #581234, #585142, #585276, #591454, #592068, #592074, #592082, #594500, #595186
ID: 201612-16

Synopsis

Multiple vulnerabilities have been found in OpenSSL, the worst of
which allows attackers to conduct a time based side-channel attack.


Background

OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer
(SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general
purpose cryptography library.


Affected Packages

Package: dev-libs/openssl
Vulnerable: < 1.0.2j
Unaffected: >= 1.0.2j
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in OpenSSL. Please review
the CVE identifiers and the International Association for Cryptologic
Research’s (IACR) paper, “Make Sure DSA Signing Exponentiations
Really are Constant-Time” for further details.


Impact

Remote attackers could cause a Denial of Service condition or have other
unspecified impacts. Additionally, a time based side-channel attack may
allow a local attacker to recover a private DSA key.


Workaround

There is no known workaround at this time.

Resolution

All OpenSSL users should upgrade to the latest version: