Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2011-1945

Published: 31 May 2011

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

Notes

AuthorNote
jdstrand
from upstream: "The OpenSSL team have reviewed the paper, and
although the result is significant, we believe that the affected code (ECDSA
used with binary curves) is very rarely used at present. We therefore do not
plan on issuing a security release but expect to patch this in the future."

Priority

Low

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
upstream Needed

hardy
Released (0.9.8g-4ubuntu3.15)
lucid
Released (0.9.8k-7ubuntu8.8)
maverick
Released (0.9.8o-1ubuntu4.6)
natty
Released (0.9.8o-5ubuntu1.2)
oneiric
Released (1.0.0e-2ubuntu1)
Patches:
upstream: http://marc.info/?l=openssl-cvs&m=130633562421834&w=2
upstream: http://marc.info/?l=openssl-cvs&m=131488703100302&w=2