deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) (!24353) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/rvagg/rvagg/openssl-CVE-2018-0734-followup into master Nov 14, 2018

The fix for CVE-2018-0734, floated in 213c7d2d, failed to include a constant-time calculation for one of the variables. This introduces a fix for that.

Ref: https://github.com/openssl/openssl/pull/7549 Upstream: https://github.com/openssl/openssl/commit/26d7fce1

Original commit message:
    Add a constant time flag to one of the bignums to avoid a timing leak.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7549)

    (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

This is for 1.1.0, so can go in to 11 and 10. I'll do a separate one for 1.0.2.

@nodejs/crypto

Admin message

Admin message

deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on)

Merge request reports