ALAS2-2019-1153 security vulnerability

Question

ALAS2-2019-1153 security vulnerability

piyshl-s opened this issue 5 years ago · 3 comments

Hi Team,
we need ALAS2-2019-1153 security vulnerability to be fixed.
Because OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. (CVE-2018-0734 )

Answer 1 · 2019-02-07T17:29:55.000Z

@piyshl-s thanks for reporting this issue. We will investigate and get back to you soon.

Answer 2 · 2019-02-07T19:43:50.000Z

Hi, I'm on the team that maintains the Amazon Linux base image. We haven't updated the base image to include this fix yet, but I'll do that soon. Thanks for the report.

Answer 3 · 2019-02-07T23:26:50.000Z

Closing issue in favor of @ilianaw's PR. Thanks again @piyshl-s.