CVE-2014-0076

Published: 25 March 2014

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Priority

Status

Package	Release	Status
openssl Launchpad, Ubuntu, Debian	lucid	Not vulnerable (code not present)
	precise	Released (1.0.1-4ubuntu5.12)
	quantal	Released (1.0.1c-3ubuntu2.7)
	saucy	Released (1.0.1e-3ubuntu1.2)
	upstream	Needs triage
	Patches: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4b7a4ba29cafa432fc4266fe6e59e60bc1c96332 (1.0.1) upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=40acdb192e035f463d3c39c23fd8a68cf54df378 (1.0.1)
openssl098 Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Not vulnerable (code not present)
	quantal	Not vulnerable (code not present)
	saucy	Not vulnerable (code not present)
	upstream	Needs triage

References

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742923

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security