Your message dated Thu, 22 Nov 2018 23:05:56 +0000
with message-id <[email protected]>
and subject line Bug#895845: fixed in openssl1.0 1.0.2q-1
has caused the Debian Bug report #895845,
regarding openssl1.0: CVE-2018-0737: Cache timing vulnerability in RSA Key
Generation Source
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
895845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895845
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 1.1.0f-3
Severity: important
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 openssl1.0 1.0.2l-2
Control: retitle -2 openssl1.0: CVE-2018-0737: Cache timing vulnerability in
RSA Key Generation Source
Hi,
The following vulnerability was published for openssl.
CVE-2018-0737[0]:
| The OpenSSL RSA Key generation algorithm has been shown to be
| vulnerable to a cache timing side channel attack. An attacker with
| sufficient access to mount cache timing attacks during the RSA key
| generation process could recover the private key. Fixed in OpenSSL
| 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev
| (Affected 1.0.2b-1.0.2o).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-0737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737
[1] https://www.openssl.org/news/secadv/20180416.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl1.0
Source-Version: 1.0.2q-1
We believe that the bug you reported is fixed in the latest version of
openssl1.0, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl1.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Nov 2018 22:06:24 +0100
Source: openssl1.0
Binary: libssl1.0.2 libssl1.0-dev libcrypto1.0.2-udeb libssl1.0.2-udeb
Architecture: source
Version: 1.0.2q-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
libcrypto1.0.2-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl1.0-dev - Secure Sockets Layer toolkit - development files
libssl1.0.2 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.2-udeb - ssl shared library - udeb (udeb)
Closes: 891799 895845
Changes:
openssl1.0 (1.0.2q-1) unstable; urgency=medium
.
* Correct typo in the riscv64 target (Closes: #891799).
* Update to policy 4.1.4
- drop Priority: important.
- use signing-key.asc and a https links for downloads.
- point the VCS-* to salsa.
* Import upstream version 1.0.2q
- CVE-2018-5407 (Microarchitecture timing vulnerability in ECC scalar
multiplication)
- CVE-2018-0734 (Timing vulnerability in DSA signature generation)
- CVE-2018-0732 (Client DoS due to large DH parameter)
- CVE-2018-0737 (Cache timing vulnerability in RSA Key Generation)
(Closes: #895845)
Checksums-Sha1:
3e17e370152422f0d3d486dd525ef4e6dc349fbd 2514 openssl1.0_1.0.2q-1.dsc
692f5f2f1b114f8adaadaa3e7be8cce1907f38c5 5345604 openssl1.0_1.0.2q.orig.tar.gz
52c2f46fe1d9f4edd6421357e5d1d6212dabcef4 488 openssl1.0_1.0.2q.orig.tar.gz.asc
73eafa0d89c2d9680185732beb656635c65e026d 94732
openssl1.0_1.0.2q-1.debian.tar.xz
b7aedb62505eb2ef60305664d3cbabe47beffcfd 6119
openssl1.0_1.0.2q-1_source.buildinfo
Checksums-Sha256:
7e9cae7b49067f5ef6e26f81a1a3e202ca7e71f0ed1b257d0b452f11445968ca 2514
openssl1.0_1.0.2q-1.dsc
5744cfcbcec2b1b48629f7354203bc1e5e9b5466998bbccc5b5fcde3b18eb684 5345604
openssl1.0_1.0.2q.orig.tar.gz
d8a8e611cb1c46e167594a19aac7b9b56e070b7ec762659462ffa23183064cf0 488
openssl1.0_1.0.2q.orig.tar.gz.asc
25e874dfb163e6b974e7e8d460e49bc07aa64a227c3ab6c1cc4ed7f7ad3188b6 94732
openssl1.0_1.0.2q-1.debian.tar.xz
3b33789965d110c21122004dfa80abc07fc2948beb8adebcf32efdeb833c4c98 6119
openssl1.0_1.0.2q-1_source.buildinfo
Files:
f1dd5589ba803fdfaa122e720d114050 2514 utils optional openssl1.0_1.0.2q-1.dsc
7563e1ce046cb21948eeb6ba1a0eb71c 5345604 utils optional
openssl1.0_1.0.2q.orig.tar.gz
fe9271891371076e283ccd6bbd96f2f6 488 utils optional
openssl1.0_1.0.2q.orig.tar.gz.asc
7168a96f84a599b82518d2f83a22cedd 94732 utils optional
openssl1.0_1.0.2q-1.debian.tar.xz
c99ae6f0a736e73b5cdf68e1511098f0 6119 utils optional
openssl1.0_1.0.2q-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAlv3LtIACgkQe5boFiqM
9dFKCBAAnYkX0yhNx4dY8Nrf9sAP0uyiE+k/ptf6IsP2O811uO6R4BU2i2V77SGw
5snFgsE9RH2FBANeLVX9oI20x9EoxCOBuse88r5RM2oganAv+Wqz/cdnNr6xHu2l
K9K/xru2Ts/eyb9X2a/HKHhYi9fZuLvb28Ppo47SGm/DkyFitzNBbgCyIgXSKfsp
uy3zRGSPQIMkxzbcJHzrYxMF9qQLduRUnO+96x8hvnWxajKER06BYtzKfV8Be7Zj
ByvAFWWsJMNhPVZhyvoEmArQzZypaUu3V81X0HIuN/aL4ypPR2dIMTnlGsIfWe06
AXk7j9V3UXakQhDbdJLwWlhsRm4BdPKJVLbDHXz5gqjD1J8GiEaCQUx1ZAF4YR22
9izjI+VU29eCbH8qS2jPx2lYHa/BQKUVsIagB19w/JtiFJI9Dpr4cHaG0tl0e4gN
E+JjgSXshR5LD9yCMjBs3z3/XevLzAVdqsRR00Qy1GngNgCUJp9m1rhkPeg0JC6X
E1al0OVoOJxrHE+fqzx35iuDwDqi6jrU2CllWHAp8xx32+SvwPASkvOupDW5o+e4
4TnHyJ/fdrRV70E4yDW5/Uqbwoagsw1XvwJPz3GsJcOqPKO6QSfmhkRLSFxcTVUi
FlPH/Y2VB8087XxXxUW2UlIWiE5PZaF2AprgabYPjIyXyQATWQE=
=Z6IZ
-----END PGP SIGNATURE-----
--- End Message ---
