deps: float 99540ec from openssl (CVE-2018-0735) (!23950) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/rvagg/rvagg/openssl-CVE-2018-0735 into master Oct 29, 2018

Low severity timing vulnerability in ECDSA signature generation. Publicly disclosed but unreleased, pending OpenSSL 1.1.0j.

This is for master, 10.x and 11.x, should cherry-pick without problem.

There is a version of this for 1.0.2 @ https://github.com/openssl/openssl/pull/7513 but as yet it's unreviewed so we shouldn't jump the gun.

I don't think we need to rush a release out for this, but it should certainly go out with whatever the next releases are for 10 and 11, security or standard.

/cc @nodejs/crypto @nodejs/release

Ref: https://www.openssl.org/news/secadv/20181029.txt Ref: https://github.com/openssl/openssl/pull/7486 PR-URL: https://github.com/nodejs/node/pull/??? Upstream: https://github.com/openssl/openssl/commit/99540ec

Original commit message:

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7486)

Admin message

Admin message

deps: float 99540ec from openssl (CVE-2018-0735)

Merge request reports