Final changes for 1.11.33 release1.11.33

author: Jack Lloyd <[email protected]> 2016-10-26 09:39:08 -0400
committer: Jack Lloyd <[email protected]> 2016-10-26 09:39:08 -0400
commit: 560c0e5623cd9ef704b06c56b7e827e7431ae1a8 (patch)
tree: 77b7838b0be4a818e478a719dbfd87a09f2a6fe6 /doc/security.rst
parent: 3fb31cef450cef82015170f8e825a2d656163ea6 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/security.rst b/doc/security.rst
index 4034a5878..1c0aea69f 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -19,6 +19,20 @@ Advisories
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* 2016-10-8871 (CVE-2016-8871) OAEP side channel
+
+  A side channel in OAEP decoding could be used to distinguish RSA ciphertexts
+  that did or did not have a leading 0 byte. For an attacker capable of
+  precisely measuring the time taken for OAEP decoding, this could be used as an
+  oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation
+  seems difficult as OAEP decoding is always paired with RSA decryption, which
+  takes substantially more (and variable) time, and so will tend to mask the
+  timing channel. This attack does seems well within reach of a local attacker
+  capable of a cache or branch predictor based side channel attack. Finding,
+  analysis, and patch by Juraj Somorovsky.
+
+  Introduced in 1.11.29, fixed in 1.11.33
+
 * 2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
 
   On systems without a native 128-bit integer type, the Curve25519 code invoked
author	Jack Lloyd <[email protected]>	2016-10-26 09:39:08 -0400
committer	Jack Lloyd <[email protected]>	2016-10-26 09:39:08 -0400
commit	560c0e5623cd9ef704b06c56b7e827e7431ae1a8 (patch)
tree	77b7838b0be4a818e478a719dbfd87a09f2a6fe6 /doc/security.rst
parent	3fb31cef450cef82015170f8e825a2d656163ea6 (diff)