Your message dated Wed, 24 Feb 2021 17:32:53 +0000
with message-id <[email protected]>
and subject line Bug#947949: fixed in openssl 1.1.1d-0+deb10u5
has caused the Debian Bug report #947949,
regarding openssl: CVE-2019-1551
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
947949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947949
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 1.1.1d-2
Severity: important
Tags: security upstream fixed-upstream
Hi,
Filling for tracking the issue for src:openssl.
CVE-2019-1551[0]:
| There is an overflow bug in the x64_64 Montgomery squaring procedure
| used in exponentiation with 512-bit moduli. No EC algorithms are
| affected. Analysis suggests that attacks against 2-prime RSA1024,
| 3-prime RSA1536, and DSA1024 as a result of this defect would be very
| difficult to perform and are not believed likely. Attacks against
| DH512 are considered just feasible. However, for an attack the target
| would have to re-use the DH512 private key, which is not recommended
| anyway. Also applications directly using the low level API BN_mod_exp
| may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-
| dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected
| 1.0.2-1.0.2t).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-1551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
[1] https://www.openssl.org/news/secadv/20191206.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 1.1.1d-0+deb10u5
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Feb 2021 23:08:43 +0100
Source: openssl
Architecture: source
Version: 1.1.1d-0+deb10u5
Distribution: buster-security
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 947949
Changes:
openssl (1.1.1d-0+deb10u5) buster-security; urgency=medium
.
* CVE-2021-23841 (NULL pointer deref in X509_issuer_and_serial_hash()).
* CVE-2021-23840 (Possible overflow of the output length argument in
EVP_CipherUpdate(), EVP_EncryptUpdate() and EVP_DecryptUpdate()).
* CVE-2019-1551 (Overflow in the x64_64 Montgomery squaring procedure),
(Closes: #947949).
Checksums-Sha1:
37c6f31d7c2581d09040b1975de0d4757290ffd8 2472 openssl_1.1.1d-0+deb10u5.dsc
2c6bc1d2da71f668f1dde7b195a6e7ffe5b85ce4 95940
openssl_1.1.1d-0+deb10u5.debian.tar.xz
Checksums-Sha256:
a09e1135475dc740ceeb86c3c9ce8eec6bcc931df2a06a70f461ff0ce477c180 2472
openssl_1.1.1d-0+deb10u5.dsc
70c3d201429bf5cdb198837da7ebe9e2bfe956f929ddc069f06cbb7508989c50 95940
openssl_1.1.1d-0+deb10u5.debian.tar.xz
Files:
e85e779b8b5d51a9636f8755e71d2c6f 2472 utils optional
openssl_1.1.1d-0+deb10u5.dsc
5dd192467f3f3f5898145521274263e9 95940 utils optional
openssl_1.1.1d-0+deb10u5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmAsRA0ACgkQBWQfF1cS
+lvTRgv/aDQQxtN/ErUzRyW72L55ViPmS1AA2NAZAXxlA9Z3k3gUG/W4pgs9eIlR
y9bq8cbGzgqjW61aM6Of/DtLPf2O63MMF+3evgBDeBusj87oyl5JFtYWFmqUdcNI
Ee0JwUvLJlCA+fJLsbM3iexmYGZjaakPLGYWtWU1FCD/2X7fqwxIAHBE8mnpHEy5
n8HFvKWuOGlHKrlU9YcG684xUi4aeRirxu43n02UXbqLTxu5Qm52YctfU0hmb8+A
CgElEXniYhuJweDMjtjf5nqNM+WIcDNzK9vo1Ky5cAWFK9uElLw4mLuj5H/ZpqX2
Yin8bU7AIMrjNDHnhc7fA+V1yNy5te7XnAf+m+CFqEl4atIbYEEmfG4TZ0S5CyeX
PlNg5XhjI0QrKORRSwnVZvna0klcuvF09c5hsC13c8OwO8hc5Jc5NfBqTJalACW+
Oa5lh9WcbrY4WgZdasgxhdmNL2r/AD6gy7VQjoG3ME9DFDGsSwRkWDISMa36qEaI
0jpNbvOj
=H1KK
-----END PGP SIGNATURE-----
--- End Message ---
