deps: float 99540ec from openssl (CVE-2018-0735)#23950
Closed
rvagg wants to merge 1 commit intonodejs:masterfrom
Closed
deps: float 99540ec from openssl (CVE-2018-0735)#23950rvagg wants to merge 1 commit intonodejs:masterfrom
rvagg wants to merge 1 commit intonodejs:masterfrom
Conversation
nodejs-github-bot
added
the
openssl
Member
Author
|
ooops, and cc @nodejs/security |
|
Please give the reviewers some time to review backports. The 1.0.2 backport wasn't trivial...... |
Member
|
I can include it in 11.1.0 tomorrow if it is fast-tracked |
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486)
rvagg
force-pushed
the
rvagg/openssl-CVE-2018-0735
branch
from
e5d7aac to
4addbc7
Compare
Member
Author
|
Squashed a trivial syntax fix (openssl/openssl#7516) into my commit here, noted in the commit msg Testing @ https://ci.nodejs.org/job/node-test-pull-request/18201/ |
cjihrig
approved these changes
Oct 29, 2018
ryzokuken
approved these changes
Oct 29, 2018
bnoordhuis
approved these changes
Oct 29, 2018
tniessen
approved these changes
Oct 29, 2018
Member
Author
|
@targos let's not bother with the fast-track on this one, it's very low severity. Will land in a couple of days. |
jasnell
approved these changes
Oct 30, 2018
Member
Author
|
two more related commits @ #23965 |
Member
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 4, 2018
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: nodejs#23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Member
|
Landed in d8fb81f |
BridgeAR
pushed a commit
that referenced
this pull request
Nov 14, 2018
Low severity timing vulnerability in ECDSA signature generation Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Also includes trivial syntax fix from openssl/openssl#7516 Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: openssl/openssl#7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@99540ec Original commit message: Timing vulnerability in ECDSA signature generation (CVE-2018-0735) Preallocate an extra limb for some of the big numbers to avoid a reallocation that can potentially provide a side channel. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from openssl/openssl#7486) PR-URL: #23950 Refs: https://www.openssl.org/news/secadv/20181029.txt Refs: openssl/openssl#7486 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
Member
|
@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong. |
This was referenced Apr 23, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Low severity timing vulnerability in ECDSA signature generation. Publicly disclosed but unreleased, pending OpenSSL 1.1.0j.
This is for master, 10.x and 11.x, should cherry-pick without problem.
There is a version of this for 1.0.2 @ openssl/openssl#7513 but as yet it's unreviewed so we shouldn't jump the gun.
I don't think we need to rush a release out for this, but it should certainly go out with whatever the next releases are for 10 and 11, security or standard.
/cc @nodejs/crypto @nodejs/release
Ref: https://www.openssl.org/news/secadv/20181029.txt
Ref: openssl/openssl#7486
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: openssl/openssl@99540ec
Original commit message: