[Bug 1915906] Re: Ensure SRP BN_mod_exp follows the constant time path
Adrien Nader
1915906 at bugs.launchpad.net
Fri May 12 19:36:45 UTC 2023
Hi. Openssl is a delicate component, used by many other packages. As a
consequence, it is only patched if there is a strong need. Looking at
the pull request you've linked to, this falls outside of the openssl
threat model since it is local only. I'm not sure Ubuntu has a stricter
threat model for openssl. I'm going to ask around but even if Ubuntu
does, it is probably an exploit that is difficult to pull off on a
component that is risky to touch. Overall I don't think it is likely
that focal receives a corresponding update.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1915906
Title:
Ensure SRP BN_mod_exp follows the constant time path
Status in openssl package in Ubuntu:
Confirmed
Bug description:
Hello,
I'd like to point out that there are two fixes missing from the
upstream, is there any chance to get them incorporated?
https://github.com/openssl/openssl/pull/13888
https://github.com/openssl/openssl/pull/13889
There was no CVE assigned, it was fixed between 1.1.1i and 1.1.1j.
Best regards
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915906/+subscriptions
More information about the foundations-bugs
mailing list