CVE-2014-0076

Published: 25 March 2014

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

Priority

Medium

Status

Package Release Status
openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (1.0.1-4ubuntu5.12)
Patches:
Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4b7a4ba29cafa432fc4266fe6e59e60bc1c96332 (1.0.1)
Upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=40acdb192e035f463d3c39c23fd8a68cf54df378 (1.0.1)
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable
(code not present)