deps: float 26d7fce1 from openssl (CVE-2018-0734 follow-on) by rvagg · Pull Request #24353 · nodejs/node (original) (raw)

The fix for CVE-2018-0734, floated in 213c7d2, failed to include a
constant-time calculation for one of the variables. This introduces
a fix for that.

Ref: openssl/openssl#7549
Upstream: openssl/openssl@26d7fce1

Original commit message:
    Add a constant time flag to one of the bignums to avoid a timing leak.

    Reviewed-by: Tim Hudson <tjh@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/7549)

    (cherry picked from commit 00496b6423605391864fbbd1693f23631a1c5239)

This is for 1.1.0, so can go in to 11 and 10. I'll do a separate one for 1.0.2.

@nodejs/crypto