Your message dated Sat, 12 Apr 2008 07:52:39 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#438142: fixed in openssl 0.9.8c-4etch2
has caused the Debian Bug report #438142,
regarding CVE-2007-3108 wrong Montgomery multiplication might cause information
leakage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
438142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=438142
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: openssl
Version: 0.9.8e-5
Severity: important
Tags: security
Hi,
CVE-2007-3108[0]:
The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and
earlier does not properly perform Montgomery multiplication, which might allow
local users to conduct a side-channel attack and retrieve RSA private keys.
Openssl seems to be vulnerable in (oldstable), stable, testing and unstable.
I couldn't find any note about a fix for this in the changelogs.
If you fix this issue please include the CVE id in the changelog.
You can find patches for the 0.9.8 versions on:
http://www.securityfocus.com/bid/25163/solution
Kind regards
Nico
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpqjoElPFq09.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 0.9.8c-4etch2
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive:
libcrypto0.9.8-udeb_0.9.8c-4etch2_amd64.udeb
to pool/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch2_amd64.udeb
libssl-dev_0.9.8c-4etch2_amd64.deb
to pool/main/o/openssl/libssl-dev_0.9.8c-4etch2_amd64.deb
libssl0.9.8-dbg_0.9.8c-4etch2_amd64.deb
to pool/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch2_amd64.deb
libssl0.9.8_0.9.8c-4etch2_amd64.deb
to pool/main/o/openssl/libssl0.9.8_0.9.8c-4etch2_amd64.deb
openssl_0.9.8c-4etch2.diff.gz
to pool/main/o/openssl/openssl_0.9.8c-4etch2.diff.gz
openssl_0.9.8c-4etch2.dsc
to pool/main/o/openssl/openssl_0.9.8c-4etch2.dsc
openssl_0.9.8c-4etch2_amd64.deb
to pool/main/o/openssl/openssl_0.9.8c-4etch2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <[EMAIL PROTECTED]> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 06 Apr 2008 16:31:28 +0200
Source: openssl
Binary: libssl-dev openssl libssl0.9.8-dbg libcrypto0.9.8-udeb libssl0.9.8
Architecture: source amd64
Version: 0.9.8c-4etch2
Distribution: proposed-updates
Urgency: low
Maintainer: Debian OpenSSL Team <[EMAIL PROTECTED]>
Changed-By: Kurt Roeckx <[EMAIL PROTECTED]>
Description:
libcrypto0.9.8-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl0.9.8 - SSL shared libraries
libssl0.9.8-dbg - Symbol tables for libssl and libcrypt
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 438142
Changes:
openssl (0.9.8c-4etch2) proposed-updates; urgency=low
.
* Apply patch from SuSe for CVE-2007-4995. This should also
get DTLS in a working state.
* Fix CVE-2007-3108 wrong Montgomery multiplication. This was
also included in the patch from SuSe. (Closes: #438142)
Files:
637314078fae5c8eac38f121791dc21f 807 utils optional openssl_0.9.8c-4etch2.dsc
9535ab69f6dce0837d3876837497fe69 55497 utils optional
openssl_0.9.8c-4etch2.diff.gz
8a8e8b85bd226154d11ca8d48a4aa878 1017276 utils optional
openssl_0.9.8c-4etch2_amd64.deb
f54973d6d8865554ab67d9dc5c6f5e84 891076 libs important
libssl0.9.8_0.9.8c-4etch2_amd64.deb
7277ca9a231ce3cf8ec6bb4c41234de1 580182 debian-installer optional
libcrypto0.9.8-udeb_0.9.8c-4etch2_amd64.udeb
f6456c171db3f3b6493606b59ee48401 2187068 libdevel optional
libssl-dev_0.9.8c-4etch2_amd64.deb
7fb2273112badf44c25889779846ab86 1654946 libdevel extra
libssl0.9.8-dbg_0.9.8c-4etch2_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH+OkEQdwckHJElwsRAtKvAKDZGlgetd8S2XUhWhFwNNf7rWqlfgCg53Ye
xoV+WnEmV4uLWXJyW9pjRjY=
=YcYM
-----END PGP SIGNATURE-----
--- End Message ---
