diff options
author | Matt Caswell <matt@openssl.org> | 2017-12-06 14:09:11 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-12-06 15:44:39 +0000 |
commit | f47270e10b7ec18e5719bb2260a7d6460af387ac (patch) | |
tree | 94d2c4b2a8146d5611bb2a83fa45631de6123810 /CHANGES | |
parent | 97652f0b3a557876462ef30373ac5eeeaa88b295 (diff) |
Update CHANGES and NEWS for new release
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 22 |
1 files changed, 22 insertions, 0 deletions
@@ -190,6 +190,28 @@ issues, has been replaced to always returns NULL. [Rich Salz] + Changes between 1.1.0g and 1.1.0h [xx XXX xxxx] + + *) rsaz_1024_mul_avx2 overflow bug on x86_64 + + There is an overflow bug in the AVX2 Montgomery multiplication procedure + used in exponentiation with 1024-bit moduli. No EC algorithms are affected. + Analysis suggests that attacks against RSA and DSA as a result of this + defect would be very difficult to perform and are not believed likely. + Attacks against DH1024 are considered just feasible, because most of the + work necessary to deduce information about a private key may be performed + offline. The amount of resources required for such an attack would be + significant. However, for an attack on TLS to be meaningful, the server + would have to share the DH1024 private key among multiple clients, which is + no longer an option since CVE-2016-0701. + + This only affects processors that support the AVX2 but not ADX extensions + like Intel Haswell (4th generation). + + This issue was reported to OpenSSL by David Benjamin (Google). The issue + was originally found via the OSS-Fuzz project. + (CVE-2017-3738) + [Andy Polyakov] Changes between 1.1.0f and 1.1.0g [2 Nov 2017] |