Your message dated Sat, 28 Sep 2019 21:36:16 +0000
with message-id <[email protected]>
and subject line Bug#941265: fixed in mbedtls 2.16.3-1
has caused the Debian Bug report #941265,
regarding mbedtls: CVE-2019-16910
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941265
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 2.16.2-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for mbedtls. Not checked in
details, so please double check for mbedtls.
CVE-2019-16910[0]:
| Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when
| deterministic ECDSA is enabled, use an RNG with insufficient entropy
| for blinding, which might allow an attacker to recover a private key
| via side-channel attacks if a victim signs the same message many
| times. (For Mbed TLS, the fix is also available in versions 2.7.12 and
| 2.16.3.)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16910
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16910
[1]
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.16.3-1
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Sep 2019 21:39:18 +0100
Source: mbedtls
Architecture: source
Version: 2.16.3-1
Distribution: unstable
Urgency: medium
Maintainer: James Cowgill <[email protected]>
Changed-By: James Cowgill <[email protected]>
Closes: 941265
Changes:
mbedtls (2.16.3-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2019-16910 - Side channel attack on deterministic
ECDSA. (Closes: #941265)
.
* d/libmbedcrypto3.symbols:
- Add new mbedtls_ecdsa_sign_det_ext symbol.
Checksums-Sha1:
923533e9576b8f706940f305ade8d2d36103c08d 2347 mbedtls_2.16.3-1.dsc
c5c2ef1d4d8bb27e2fdc93d1a6f647806060d229 1852016 mbedtls_2.16.3.orig.tar.xz
5f66e59f4929e8cc013d9509229a7f1842e77813 12636 mbedtls_2.16.3-1.debian.tar.xz
Checksums-Sha256:
5d5b5e74ede6d1b276be40a506c4b566a1a6ac05728f1e764ffb71bbc1f82bd5 2347
mbedtls_2.16.3-1.dsc
05b299e4f6bd1181786d52e3361d31229aeb5d5f8af9162b098f08eabe7064c2 1852016
mbedtls_2.16.3.orig.tar.xz
e18fa7c21226bea84cd9f2719aa7d5278cce870aac8cf927e63aadc812067036 12636
mbedtls_2.16.3-1.debian.tar.xz
Files:
c55d17db7d424f0b1f84c107f8230d9f 2347 libs optional mbedtls_2.16.3-1.dsc
39b5b0b365c7a8704ce4b2067cd4aaa9 1852016 libs optional
mbedtls_2.16.3.orig.tar.xz
1e04b948f6904698bde813db91a40930 12636 libs optional
mbedtls_2.16.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAl2Pz94UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe+o4w/+KkknLaAJcpzxsityT0qk/Nvdmwbk
75mNkfQV5vAi6lOHJ5iX7y7cZmUO1tRfwU741fubVNPxWSS171D3ReAcg59ObLVh
IJZJ/IHQD3C/hYE5NJE0opHkvrSBLGIFta+Mk5xkjCeeZpCyER1lx/8yeoJmoCXI
OBgBVwclkfRHF6fQ1n8pi3AxO/lZ5g1NvmE9rZJBpne6f2pL3e5AN/6F4/31VF/U
fRujO8EsNcZj+d8V/xfCr86UYWOJmYQpAhc6yFidWXRWBbrBQYXDTwMij5Rn1rZh
9QJ81AejbplHecMJbBjT5Ikpcpe3QK/KC4vysxzfjqUYISZMpvwvjQKrxVnaeenJ
A0fuOwVmtqV0E3KBzJvN9xBSduNRQCvd8bc2gz14hubFsvam2dsMMGKKMpl+uNT3
fQcjRIV0TxKQIBU7TIb+r6UlmL2lyYelEWbKbuRStTXh05yL+gCV/f6ZYb+RFC16
0+OnnLjuBpdfNUvWcnnBIIT9MQAut+urdb3E/6DA5FVo/bEr/Ubo/MzMvbsKn4vb
+tW/LHTAzN9mB4R7yJreF4xXEOtM4kHXYvVxZRXeByM2q5G86ZzICPvvrEGea3hu
4/gjSRdPP0MBsfu6VR7JCF4rYonIfpmw1+rwm4/6WNsYQzlMy7I3+9VN1BlCEhe/
NPC70EX+8CFVYas=
=0eOA
-----END PGP SIGNATURE-----
--- End Message ---
