Update CHANGES and NEWS for new release

author Matt Caswell <matt@openssl.org>

Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)

committer Matt Caswell <matt@openssl.org>

Tue, 20 Nov 2018 11:57:17 +0000 (11:57 +0000)
author Matt Caswell <matt@openssl.org>
Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)
committer Matt Caswell <matt@openssl.org>
Tue, 20 Nov 2018 11:57:17 +0000 (11:57 +0000)
diff --git a/CHANGES b/CHANGES

index fde66b5ba4fc9f31bef7bb3ff2ecce04c94980ce..11d72327c5ef210339f09592310d8f797420c0c4 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,16 @@
       (CVE-2018-5407)
       [Billy Brumley]
  
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
    *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
       Module, accidentally introduced while backporting security fixes from the
       development branch and hindering the use of ECC in FIPS mode.
diff --git a/NEWS b/NEWS

index 2c5f5f8330e1c31dfa3b312ee0567d91e04e3a5b..38fe668ffa7ef261e3a8a631f0cb1d58f0441b60 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@
  
    Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [under development]
  
-      o
+      o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
  
    Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
author	Matt Caswell <matt@openssl.org>
	Tue, 20 Nov 2018 10:52:53 +0000 (10:52 +0000)
committer	Matt Caswell <matt@openssl.org>
	Tue, 20 Nov 2018 11:57:17 +0000 (11:57 +0000)