public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add CHANGES.md and NEWS.md updates for CVE-2024-13176

Browse source 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)

(cherry picked from commit c3144e1025)
This commit is contained in:
Tomas Mraz 2025-01-15 18:29:52 +01:00
parent 392dcb3364
commit fcebf0a79a
2 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

14
CHANGES.md
View file

@ -28,6 +28,19 @@ OpenSSL 3.3
### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
* Fixed timing side-channel in ECDSA signature computation.
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.
([CVE-2024-13176])
*Tomáš Mráz*
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
@ -20703,6 +20716,7 @@ ndif
<!-- Links -->
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535

4
NEWS.md
View file

@ -28,6 +28,9 @@ release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed timing side-channel in ECDSA signature computation.
([CVE-2024-13176])
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])
@ -1753,6 +1756,7 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-13176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535