Your message dated Fri, 18 May 2018 11:38:02 +0000
with message-id <[email protected]>
and subject line Bug#895844: fixed in openssl 1.1.0h-3
has caused the Debian Bug report #895844,
regarding openssl: CVE-2018-0737: Cache timing vulnerability in RSA Key
Generation Source
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 1.1.0f-3
Severity: important
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 openssl1.0 1.0.2l-2
Control: retitle -2 openssl1.0: CVE-2018-0737: Cache timing vulnerability in
RSA Key Generation Source
Hi,
The following vulnerability was published for openssl.
CVE-2018-0737[0]:
| The OpenSSL RSA Key generation algorithm has been shown to be
| vulnerable to a cache timing side channel attack. An attacker with
| sufficient access to mount cache timing attacks during the RSA key
| generation process could recover the private key. Fixed in OpenSSL
| 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev
| (Affected 1.0.2b-1.0.2o).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-0737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737
[1] https://www.openssl.org/news/secadv/20180416.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.1.0h-3
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 May 2018 23:35:43 +0200
Source: openssl
Binary: openssl libssl1.1 libcrypto1.1-udeb libssl1.1-udeb libssl-dev libssl-doc
Architecture: source
Version: 1.1.0h-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.1 - Secure Sockets Layer toolkit - shared libraries
libssl1.1-udeb - ssl shared library - udeb (udeb)
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 895844
Changes:
openssl (1.1.0h-3) unstable; urgency=medium
.
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix regression with session cache use by clients (See: #895035).
* openssl rehash: exit 0 on warnings, same as c_rehash (See: #895473 and
#895482).
* Fix debian-rules-sets-dpkg-architecture-variable.
* Let VCS-* point to salsa.d.o.
* Don't build the binary package in binary-indep mode.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Fix CVE-2018-0737 (Closes: #895844).
Checksums-Sha1:
f77bf98a0852b9ab3395ebac64e2ccd368119402 2566 openssl_1.1.0h-3.dsc
5aab130d2e4d7cf35526e739ef13ae753315f9a6 75884 openssl_1.1.0h-3.debian.tar.xz
b8f0c8259fecbb7d506eb2989c0d4f11a80eaa01 5883 openssl_1.1.0h-3_source.buildinfo
Checksums-Sha256:
77ab29b9bcd1c92d6c95077541bca6c19a1cb4ee550801eb77fe729a32a898f7 2566
openssl_1.1.0h-3.dsc
82dc58b45af704cc838b41a3976050aa5af28c0cdd26422f4a5c97c4f9f3511f 75884
openssl_1.1.0h-3.debian.tar.xz
dd49b85622c6ae43957b33780d657c3b3fd1ac14bd3bd3d1e79e3471e0ffd5f8 5883
openssl_1.1.0h-3_source.buildinfo
Files:
de49a46748f55e45b2d2f763c9f55638 2566 utils optional openssl_1.1.0h-3.dsc
6fe43439946877d41a8fd1c0b36ea067 75884 utils optional
openssl_1.1.0h-3.debian.tar.xz
33e20e836b93569e4dbc0f60bb02f6bf 5883 utils optional
openssl_1.1.0h-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlr+tZQACgkQT+XjJihy
5MyFpxAAyJ9cP4z/N6dA+At2aYimfgR2Blyt8MEt/B1P948ooUNxP0CoOnMNSsa+
V5zHGSKnvN0sX1D6tGB+YVA5UOxOFQGrU37WPUgWOFPmsOKIxyv6XLqAoVyx6W67
OFk3zVmmU2j4073oK/eAeo2nQwM69DsqxSl7KcnxKbnyjpLs37nRqbug/ml+mQZk
lNqNxLhaw15xG3r7yjLgMRxHI+wrDs7KeWVn/rq/KOWeE+3ms4ia12XXQr3Akdf9
jqigETSSyd2Lrcogv98PYw7A3QfQnrhwAsAIRSgMWkN/yI9GoL/2dSOKpT6gZHRR
+fF8xgUJeHFjlP21tVFQVr5NbbhusiPHJkmHY94Cubl/q1qyUhMnfyiKft7HmakH
/ag3TA9yfS0akqnio337y/05XoIx9+10qTxxtZGmyWJXccsTZlESoY4ommfSL5yj
7Y/SPBso34Uu36KioOdVsJyi6Mp+9kb4jsEHVT3KyMt6wxfXr0SL5MzndFW7nvrm
DwwSTpEAXdzpmRMSR+9i7eZpXduXk1dEEuk7U4HUnhpXBf45qSxhhDuHDScrzRpN
IQW6NdfnzgmJ2x4lDrsU1pL2cpGDZ/T/rEPhVJzaWFiCBcLYXRi2wa0QEK4+/XV2
Bzj4yakuHTNi4LzN9gcPsSlBcB8eq/envqtVY/RZv1Qx5QkLFnw=
=X89P
-----END PGP SIGNATURE-----
--- End Message ---
