OpenSSL dsa_sign_setup Vulnerability (CVE-2016-2178)

OpenSSL dsa_sign_setup Vulnerability (CVE-2016-2178)
OpenSSL dsa_sign_setup Vulnerability (CVE-2016-2178)

Release date:
Updated on:

Affected Systems:

OpenSSL Project OpenSSL <= 1.0.2h

Description:

CVE (CAN) ID: CVE-2016-2178

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

In OpenSSL <= 1.0.2h, the crypto/dsa/dsa_ossl.c/dsa_sign_setup function does not correctly use the constant time operation. Local Users can obtain the DSA key through timed side attacks.

<* Source: Andrej Nemec
　
*>

Suggestion:

Vendor patch:

OpenSSL Project
---------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Https://bugzilla.redhat.com/show_bug.cgi? Id = 1343400
Https://git.openssl.org /? P = openssl. git; a = commit; h = 399944622df7bd81af62e67ea967c470534090e2

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: