From 4749aba5a24a646cc1e84b1e4d21e6f52399da33 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 6 Dec 2017 13:54:37 +0000 Subject: [PATCH] Update CHANGES and NEWS for the new release Reviewed-by: Rich Salz --- CHANGES | 21 ++++++++++++++++++++- NEWS | 2 +- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index a8cea3adaa..3d4e83551c 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,26 @@ Changes between 1.1.0g and 1.1.0h [xx XXX xxxx] - *) + *) rsaz_1024_mul_avx2 overflow bug on x86_64 + + There is an overflow bug in the AVX2 Montgomery multiplication procedure + used in exponentiation with 1024-bit moduli. No EC algorithms are affected. + Analysis suggests that attacks against RSA and DSA as a result of this + defect would be very difficult to perform and are not believed likely. + Attacks against DH1024 are considered just feasible, because most of the + work necessary to deduce information about a private key may be performed + offline. The amount of resources required for such an attack would be + significant. However, for an attack on TLS to be meaningful, the server + would have to share the DH1024 private key among multiple clients, which is + no longer an option since CVE-2016-0701. + + This only affects processors that support the AVX2 but not ADX extensions + like Intel Haswell (4th generation). + + This issue was reported to OpenSSL by David Benjamin (Google). The issue + was originally found via the OSS-Fuzz project. + (CVE-2017-3738) + [Andy Polyakov] Changes between 1.1.0f and 1.1.0g [2 Nov 2017] diff --git a/NEWS b/NEWS index 3a58d254f2..8b5b971ce4 100644 --- a/NEWS +++ b/NEWS @@ -7,7 +7,7 @@ Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development] - o + o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] -- 2.25.1