OpenSSL Releases 14th August 2018
@nodejs/release
https://mta.openssl.org/pipermail/openssl-announce/2018-August/000129.html
Forthcoming OpenSSL releases
============================
The OpenSSL project team would like to announce the forthcoming release
of OpenSSL versions 1.1.0i and 1.0.2p.
These releases will be made available on 14th August 2018 between
approximately 1200-1600 UTC.
These are bug-fix releases. They also contain the fixes for two LOW
severity security issues (CVE-2018-0732 and CVE-2018-0737) which were
previously announced here:
https://www.openssl.org/news/secadv/20180612.txt
https://www.openssl.org/news/secadv/20180416.txt
Yours
The OpenSSL Project Team
So we have CVE-2018-0732 in already in 10.x/master, we floated it @ 772d3907. We also floated 831821bc, the ECDSA blinding attack that didn't get a CVE AFAIK. It's also not listed in this advisory, perhaps they're considering it below their threshold even for "Low".
I wasn't aware of CVE-2018-0737, that's:
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
================================================================
Severity: Low
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
private key.
I think 2018 is going to be defined by various creative and difficult side-channel attacks. We're going to want to get this one out but I wouldn't call it "critical", just something we might expect pressure on if we don't get it out within a few days. We should probably released patched versions of LTS and then bundle this into the next regular 10.x release.