Update CHANGES and NEWS for new release

Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7664)

Update CHANGES and NEWS for new release
Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7664)
d90d8537 · Matt Caswell · cc330c70 · d90d8537 · d90d8537
隐藏空白更改
内联并排

Showing with 22 addition and 1 deletion

CHANGES CHANGES +20 -0

NEWS NEWS +2 -1

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,26 @@

 Changes between 1.1.1 and 1.1.1a [xx XXX xxxx]

+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Timing vulnerability in ECDSA signature generation
+
+     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+     (CVE-2018-0735)
+     [Paul Dale]
+
  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.

--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,8 @@

  Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [under development]

-      o
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+      o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

  Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]