Your message dated Tue, 07 Sep 2021 20:48:38 +0000
with message-id <[email protected]>
and subject line Bug#993840: fixed in botan 2.18.1+dfsg-3
has caused the Debian Bug report #993840,
regarding botan: CVE-2021-40529
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993840: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993840
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: botan
Version: 2.18.1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/randombit/botan/pull/2790
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for botan.
CVE-2021-40529[0]:
| The ElGamal implementation in Botan through 2.18.1, as used in
| Thunderbird and other products, allows plaintext recovery because,
| during interaction between two cryptographic libraries, a certain
| dangerous combination of the prime defined by the receiver's public
| key, the generator defined by the receiver's public key, and the
| sender's ephemeral exponents can lead to a cross-configuration attack
| against OpenPGP.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-40529
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40529
[1]
https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2
[2] https://github.com/randombit/botan/pull/2790
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: botan
Source-Version: 2.18.1+dfsg-3
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
botan, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated botan package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 Sep 2021 17:38:02 +0200
Source: botan
Architecture: source
Version: 2.18.1+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 993840
Changes:
botan (2.18.1+dfsg-3) unstable; urgency=high
.
* Backport security related patches:
- new sizes for DL exponents,
- CVE-2021-40529: avoid using short exponents with ElGamal
(closes: #993840).
Checksums-Sha1:
6ef182c855c5e7c57d9a000ecdb7bcae016d26df 2137 botan_2.18.1+dfsg-3.dsc
59b3c2a15336a8d5699fe13ecb596ebe9e86d08e 22096
botan_2.18.1+dfsg-3.debian.tar.xz
Checksums-Sha256:
f35a651bac971f65afb42c7063e29eacfb8f362b8559872159ca638f93be722b 2137
botan_2.18.1+dfsg-3.dsc
1a8b277ff7bb34982170757cfbb611e5bb717d24ce0086e1c24cb38f1f28fb57 22096
botan_2.18.1+dfsg-3.debian.tar.xz
Files:
04da087d10b6a8e035c7c4f9dad928dd 2137 libs optional botan_2.18.1+dfsg-3.dsc
baf50cbe2a0248311aff224d8f87112b 22096 libs optional
botan_2.18.1+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmE3yXIACgkQ3OMQ54ZM
yL9ymQ/+L0vIWRBX4B7KIDRgdzfsVmmBcaZuDsGe/Qx8A7SgZIc0uAvYLcaJ+TaS
MLKBIp6pFo6/EYLJ3MMDR3OmZXS2UfFu+2Ih5cC5KDuCdAjmaK0FRJyHWw1W9uB2
r0R4mEMSrNFX2KWtQdcxIBDCE9qFCv9qSV1DXxIzxHARmyhmYX2z+ZXEi7I/eUZO
lqhPCCoCINjVMvMiXR0Miv66ywBgw998eOT3TTnduJWbfUHfGyTDuWuoIRMJ2GrE
Q8l9bxYRj2rMGNmncECeF9b2U0P0237yxkGShvDmIi4tWvP6Mj2LFopi5j0Wpbtd
mdPlMORA4h+iCM2+2Z4ujIC6n9QvDDw7EEQp1Std84k5lhAJZsCKI1HAoQhZJGks
fX/JaY3icrAcasMaF/9YVoRFw9/o0U79lExhUNmm4xHwG8fUaoolJdUzfPYefgiL
6WOlvJJskzvIS3c5Rqtzi3TnKLb+kX9+HNjUY66Y6bacr7J9BVbFoxLfCehKtlf+
oydn7svlAW5yhvJ201idU2oc/hq+itDs0IE0A1sntYyyF1znh35MM6HDsR271UEf
h6Xu42F4kdzHge9lmgpZcL8eILPPlB8HYaab3yssKXwD08ihFCNxLGtZYzexERb3
b85HbqvpMzE7pcC99E0TIIMqU6uV7RUV8RYqdrG8GzsTdhwv2sg=
=As1p
-----END PGP SIGNATURE-----
--- End Message ---
