Your message dated Tue, 01 Aug 2023 21:23:01 +0000
with message-id <[email protected]>
and subject line Bug#1041818: fixed in openssl 3.1.2-1
has caused the Debian Bug report #1041818,
regarding openssl: CVE-2023-2975
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041818: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 3.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for openssl.
CVE-2023-2975[0]:
| Issue summary: The AES-SIV cipher implementation contains a bug that
| causes it to ignore empty associated data entries which are
| unauthenticated as a consequence. Impact summary: Applications that
| use the AES-SIV algorithm and want to authenticate empty data
| entries as associated data can be mislead by removing adding or
| reordering such empty entries as these are ignored by the OpenSSL
| implementation. We are currently unaware of any such applications.
| The AES-SIV algorithm allows for authentication of multiple
| associated data entries along with the encryption. To authenticate
| empty data the application has to call EVP_EncryptUpdate() (or
| EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as
| the input buffer length. The AES-SIV implementation in OpenSSL just
| returns success for such a call instead of performing the associated
| data authentication operation. The empty data thus will not be
| authenticated. As this issue does not affect non-empty associated
| data authentication and we expect it to be rare for an application
| to use empty associated data entries this is qualified as Low
| severity issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-2975
https://www.cve.org/CVERecord?id=CVE-2023-2975
[1] https://www.openssl.org/news/secadv/20230714.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.1.2-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 01 Aug 2023 22:51:25 +0200
Source: openssl
Architecture: source
Version: 3.1.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1041817 1041818
Changes:
openssl (3.1.2-1) experimental; urgency=medium
.
* Import 3.1.2
- CVE-2023-2975 (AES-SIV implementation ignores empty associated data
entries) (Closes: #1041818).
- CVE-2023-3446 (Excessive time spent checking DH keys and parameters).
(Closes: #1041817).
- CVE-2023-3817 (Excessive time spent checking DH q parameter value).
- Drop bc and m4 from B-D.
Checksums-Sha1:
be2cd6576a8f2700cbfa8502e51d2011829aaccd 2451 openssl_3.1.2-1.dsc
206036c21264e53f0196f715d81d905742e6245b 15560427 openssl_3.1.2.orig.tar.gz
604f1185bc1036ae9e7d15b207c45c9177f98b97 833 openssl_3.1.2.orig.tar.gz.asc
28a4cb1bdbeba5fc1de678f011c01a95fa5379da 69048 openssl_3.1.2-1.debian.tar.xz
Checksums-Sha256:
2d1bc6b8850ab13dd7fcc0a44d0be4a710f4308f384c64c4d6378d5a1359a361 2451
openssl_3.1.2-1.dsc
a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539 15560427
openssl_3.1.2.orig.tar.gz
0c14b85a86966752f1cdc2a3306497010d5fb9d405070b64cbb201d7ad1eb61a 833
openssl_3.1.2.orig.tar.gz.asc
c80fc59806e9a08f95d7c79411f162526eb0fe650aaf2bc2550f4589d344e398 69048
openssl_3.1.2-1.debian.tar.xz
Files:
861499a955e678da780ca0b296262af9 2451 utils optional openssl_3.1.2-1.dsc
1d7861f969505e67b8677e205afd9ff4 15560427 utils optional
openssl_3.1.2.orig.tar.gz
673f7e5d19798fa370c6d9fac978062d 833 utils optional
openssl_3.1.2.orig.tar.gz.asc
f2027ad363c9e7b9ea66787d7adcf737 69048 utils optional
openssl_3.1.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmTJcMUACgkQBWQfF1cS
+lsHiQv/flbVzwibouAY3B3umFKl3iK3vsjNtdbylfUKd8oetP9L47QhSoNNCcx/
kZvuCU+PAnDfXbejFgnZhOXfMBnYoY+bK2/YK17/i3FMjiigAK642hzF9/7C85WW
VGj8BzYUBFNLLynsKgFdqFeEkFV5KWKa8Q28PhvIHMaQ5vvE8qMHQtOmqbYUN/Rr
kzss6OH1mNnhlrzJ4C1jVX+F1F1BOSySxzNuLDnzugbZ0y35R/YMid1ngjCu5rJw
13+x12lba23g31vP8aFrKGTO3qd88kXT9aacQkP/yI+n7QINnBVgKWzWSnMPhOtr
NwjgZBADkdmkoEsg2olT2Lug10sM+eV8jFV8VGCS1Wix8IjoP7MiCBPLYV7Q+vbI
EQ2PkA6l/CSA1QuMLqqdOdj41odvSKDcYwPB3/qxx4otNAR+AFlW8XzDUb4c9im7
cQ/KFpLzB2KkEwnt5+/6SpDrJPmgJtu2a1iMFUNgKd/K5VmCwvLnFgVtX77GKNBv
gDuNNySZ
=0U/l
-----END PGP SIGNATURE-----
--- End Message ---
