Your message dated Wed, 30 May 2018 18:35:41 +0000
with message-id <[email protected]>
and subject line Bug#895844: fixed in openssl 1.1.1~~pre7-1
has caused the Debian Bug report #895844,
regarding openssl: CVE-2018-0737: Cache timing vulnerability in RSA Key
Generation Source
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895844: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895844
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 1.1.0f-3
Severity: important
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 openssl1.0 1.0.2l-2
Control: retitle -2 openssl1.0: CVE-2018-0737: Cache timing vulnerability in
RSA Key Generation Source
Hi,
The following vulnerability was published for openssl.
CVE-2018-0737[0]:
| The OpenSSL RSA Key generation algorithm has been shown to be
| vulnerable to a cache timing side channel attack. An attacker with
| sufficient access to mount cache timing attacks during the RSA key
| generation process could recover the private key. Fixed in OpenSSL
| 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev
| (Affected 1.0.2b-1.0.2o).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-0737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737
[1] https://www.openssl.org/news/secadv/20180416.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.1.1~~pre7-1
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 30 May 2018 19:49:26 +0200
Source: openssl
Binary: openssl libssl1.1 libcrypto1.1-udeb libssl1.1-udeb libssl-dev libssl-doc
Architecture: source
Version: 1.1.1~~pre7-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
libcrypto1.1-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.1 - Secure Sockets Layer toolkit - shared libraries
libssl1.1-udeb - ssl shared library - udeb (udeb)
openssl - Secure Sockets Layer toolkit - cryptographic utility
Closes: 895844
Changes:
openssl (1.1.1~~pre7-1) experimental; urgency=medium
.
* Drop afalgeng on kfreebsd-* which go enabled because they inherit from
the linux target.
* Fix debian-rules-sets-dpkg-architecture-variable.
* Update to policy 4.1.4
- only Suggest: libssl-doc instead Recommends (only documentation and
example code is shipped).
- drop Priority: important.
- use signing-key.asc and a https links for downloads
* Use compat 11.
- this moves the examples to /usr/share/doc/libssl-{doc->dev}/demos but it
seems to make sense.
* Add a 25-test_verify.t for autopkgtest which runs against intalled
openssl binary.
* Fix CVE-2018-0737 (Closes: #895844).
Checksums-Sha1:
55df169692f4ee3e375393f20ef7208b38250c5e 2664 openssl_1.1.1~~pre7-1.dsc
1879b688f9e36665f82bda8cac4f392029683bd0 8308876
openssl_1.1.1~~pre7.orig.tar.gz
3319aa6043979845ef31b590b017bf9ec5a729b1 488
openssl_1.1.1~~pre7.orig.tar.gz.asc
f4732399240db1189542eef092fd0e4600ab3ddb 82876
openssl_1.1.1~~pre7-1.debian.tar.xz
cd7ebe5e22319ae688e666b9b7072bfd42ddd6f3 5915
openssl_1.1.1~~pre7-1_source.buildinfo
Checksums-Sha256:
f4cec8d3fc2192a5dea89116daa7de3a15223bf6d03199ea4742306fd263f724 2664
openssl_1.1.1~~pre7-1.dsc
e4a54e1eba2900004a2e39cde62aeaf1f1fa0442169f849faf14e735136ad6cc 8308876
openssl_1.1.1~~pre7.orig.tar.gz
35b81dfc7e67b5db39f4dda52854f17937a5591b1d15148953c1bc9dcd73211b 488
openssl_1.1.1~~pre7.orig.tar.gz.asc
77b4dee6e5a23983baa78eabfa76ab27bcc0a719ff7eb2b2a672371e4dae1881 82876
openssl_1.1.1~~pre7-1.debian.tar.xz
faef4b047d598de854e5f94007ba0d58ac560ff9907e9a2649ff14a40898b44e 5915
openssl_1.1.1~~pre7-1_source.buildinfo
Files:
c9e3dedd7fb2cec584560e6e554dac52 2664 utils optional openssl_1.1.1~~pre7-1.dsc
3fb0f3632dc5fc380a3b00ac8e4d6413 8308876 utils optional
openssl_1.1.1~~pre7.orig.tar.gz
d9c001b62e30ab57b735f1f69c2a4076 488 utils optional
openssl_1.1.1~~pre7.orig.tar.gz.asc
1fc10e16d9c0aeffb94fa169dc138e8e 82876 utils optional
openssl_1.1.1~~pre7-1.debian.tar.xz
b3b48a95d7939497efbbd0cc3f73cf4d 5915 utils optional
openssl_1.1.1~~pre7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlsO6RUACgkQT+XjJihy
5MwCVA/+OM8q6TecyWxlvjWzizv6wIcbP+sbidcI0LZVm9zjupKcibxbDd2vNmW3
z+LWxHiql/oVShwFn10YKQVtGGNmj2eT44i+FL1xz07MHTu+01B+9YWowSnnHjt7
ElgvOazd6B+4B11BK6GZQFQIhPjD3gHIYBc/E204rQMJkktD2xqWaXlSUdhT+zeV
Cb/PZx+/ZKI9THAqIbm56ieolQismWH3kjfz7tNv4sntwpJL54h62zpn42hW+h/I
w3/OhmLbyjGuWM0Oki4ddILKHwkGG8Sebj4IW4a4HOPt39bcEsxG41DfPparMYmt
nHi+UQgnEEQ3/yPWHto40VFo+S4sgRJZFwN1tixWI5MJPQcTEBNKlK0FE9f1G5a7
b841Kl+5j2ZP3SvE97PxVoO1vWjkfktj95nQdQS6rXn/LJt0nwVhUApP21hFiHYP
WjgJwy1GYz1rdNPMa2xn9ym51cbuHVgk7q8TG5sMgJyZJSRB3AV86aGWrOlpC5q8
CWbepK1N/nzZbnzLY1VF/wUn9+fH6VpeMb8IGI5ZSXP18p+ZXbCymzxFSvMSkV9Q
6KEIRFt01uP/8NBp68SKmsM6F3kjes8vwKT+bgKlvVyJ0Cr8y5YrGgxcwrwLeze+
bGR1fuD7drFe+9HBS3U13KnO3uRucJ/QKA/ZCtAnK/VwEa/KxM0=
=JRle
-----END PGP SIGNATURE-----
--- End Message ---
