deps: float two (more) OpenSSL patches for DSA vulnerabilities#23965
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7487)
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7486)
nodejs-github-bot added the openssl 
ryzokuken approved these changes Oct 30, 2018
tniessen approved these changes Oct 30, 2018
fhinkel approved these changes Oct 30, 2018
jasnell approved these changes Oct 30, 2018
Member
Trott commented Nov 4, 2018
Member
Trott commented Nov 4, 2018
Landed in c1e6703...213c7d2 |
Trott pushed a commit to Trott/io.js that referenced this pull request Nov 4, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7487) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: James M Snell <[email protected]>
Trott pushed a commit to Trott/io.js that referenced this pull request Nov 4, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7486) PR-URL: nodejs#23965 Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: James M Snell <[email protected]>
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q Ref: openssl/openssl#7486 Ref: openssl/openssl#7513 Ref: https://www.openssl.org/news/secadv/20181030.txt Ref: nodejs#23965 Upstream: openssl/openssl@a9cfb8c2 Upstream: openssl/openssl@43e6a58d Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7486) Original backport commit message: Merge DSA reallocation timing fix CVE-2018-0734. Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl/openssl#7513)
rvagg added a commit to rvagg/io.js that referenced this pull request Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.0.2q, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 Ref: openssl/openssl#7512 Ref: nodejs#23965 Upstream: openssl/openssl@415c3356 Upstream: openssl/openssl@ebf65dbe Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7487) Original backport commit message: Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl/openssl#7512)
BridgeAR pushed a commit that referenced this pull request Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed severe enough to be assigned a CVE #. Ref: openssl/openssl#7487 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@415c3356 Original commit message: DSA mod inverse fix There is a side channel attack against the division used to calculate one of the modulo inverses in the DSA algorithm. This change takes advantage of the primality of the modulo and Fermat's little theorem to calculate the inverse without leaking information. Thanks to Samuel Weiser for finding and reporting this. Reviewed-by: Matthias St. Pierre <[email protected]> Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7487) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: James M Snell <[email protected]>
BridgeAR pushed a commit that referenced this pull request Nov 14, 2018
Low severity timing vulnerability in the DSA signature algorithm Publicly disclosed but unreleased, pending OpenSSL 1.1.0j Ref: openssl/openssl#7486 Ref: https://www.openssl.org/news/secadv/20181030.txt PR-URL: https://github.com/nodejs/node/pull/??? Upstream: openssl/openssl@a9cfb8c2 Original commit message: Avoid a timing attack that leaks information via a side channel that triggers when a BN is resized. Increasing the size of the BNs prior to doing anything with them suppresses the attack. Thanks due to Samuel Weiser for finding and locating this. Reviewed-by: Bernd Edlinger <[email protected]> (Merged from openssl/openssl#7486) PR-URL: #23965 Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: James M Snell <[email protected]>
Member
targos commented Nov 18, 2018
@rvagg IIUC this will be part of the next OpenSSL release, so I'm adding the dont-land-on label. Please correct me if I'm wrong. |
This was referenced Apr 23, 2019
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Build on from #23950 we have two more issues surrounding DSA.
One has a CVE, CVE-2018-0734 @ https://www.openssl.org/news/secadv/20181030.txt
The other runs into OpenSSL's severity-level policy for CVE assignment and doesn't quite make it so we don't have a CVE for it. openssl/openssl#7487
If this is accepted I'll put in a PR for 6 & 8 since they have different patches (for 1.0.2).
FWIW I don't believe any of these rise to much of a meaningful level of severity. We're seeing an expected wave of timing attack vulnerabilities being discovered because this is the hottest area for research right now (for good reason, it's fascinating!). But a lot of them are more academic in nature in that they require very specific circumstances to be able to build a successful attack. And in these cases I don't believe exploits have been published anywhere.
Still worth floating on our releases I reckon though. Erring on the side of security is what the vast majority of our users want to see us do.
/cc @nodejs/crypto @nodejs/security