MGASA-2018-0365 — Vulnetix

MGASA-2018-0365 PUBLISHED CVSS 8.699999809265137 HIGH

Updated openssl packages fix security vulnerabilities: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack (CVE-2018-0732). The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key (CVE-2018-0737).

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Mageia:6	openssl	0, 0

Timeline

Sep 2, 2018 CVE Published
Apr 16, 2026 CVE Updated

References

https://advisories.mageia.org/MGASA-2018-0365.html advisory
https://bugs.mageia.org/show_bug.cgi?id=22934 report
https://www.openssl.org/news/secadv/20180416.txt url
https://openwall.com/lists/oss-security/2018/04/16/3 url
https://usn.ubuntu.com/3692-1/ advisory
https://usn.ubuntu.com/3628-1/ advisory

Open in Interactive Console →