Update Marvin fix Changelog entry

Upon further consideration we think that a remote attacker close to the
victim might be able to have precise enough timing information to
exploit the side channel as well. Update the Changelog to reflect this.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2024-01-11 14:24:02 +00:00 committed by Dave Rodgman
parent 393df9c995
commit 0d57f1034e

View file

@ -1,6 +1,8 @@
Security
* Fix a timing side channel in RSA private operations. This side channel
could be sufficient for a local attacker to recover the plaintext. It
requires the attacker to send a large number of messages for decryption.
For details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario.
Reported by Hubert Kario, Red Hat.
* Fix a timing side channel in private key RSA operations. This side channel
could be sufficient for an attacker to recover the plaintext. A local
attacker or a remote attacker who is close to the victim on the network
might have precise enough timing measurements to exploit this. It requires
the attacker to send a large number of messages for decryption. For
details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
by Hubert Kario, Red Hat.