CVE-2011-1945

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.0j OpenSSL versions prior to 0.9.8y

Description The issue affects the OpenSSL package in Gentoo Linux, potentially leading to breaches of confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. Specifically, the elliptic curve cryptography (ECC) subsystem in OpenSSL does not properly implement curves over binary fields when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE ECDSA cipher suite. This makes it easier for attackers to determine private keys via a timing attack and a lattice calculation.

Recommendations For versions prior to 1.0.0j, update to version 1.0.0j or later. For versions prior to 0.9.8y, update to version 0.9.8y or later. As a temporary workaround, consider restricting the use of the ECDHE ECDSA cipher suite until a patch is available.