Your message dated Sat, 25 Nov 2023 22:20:27 +0000
with message-id <[email protected]>
and subject line Bug#1055473: fixed in openssl 3.1.4-2
has caused the Debian Bug report #1055473,
regarding openssl: CVE-2023-5678
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055473: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 3.0.12-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.0.11-1
Control: found -1 3.0.11-1~deb12u1
Control: found -1 3.0.11-1~deb12u2
Control: found -1 1.1.1w-0+deb11u1
Hi,
The following vulnerability was published for openssl.
CVE-2023-5678[0]:
| Issue summary: Generating excessively long X9.42 DH keys or checking
| excessively long X9.42 DH keys or parameters may be very slow.
| Impact summary: Applications that use the functions
| DH_generate_key() to generate an X9.42 DH key may experience long
| delays. Likewise, applications that use DH_check_pub_key(),
| DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42
| DH key or X9.42 DH parameters may experience long delays. Where the
| key or parameters that are being checked have been obtained from an
| untrusted source this may lead to a Denial of Service. While
| DH_check() performs all the necessary checks (as of CVE-2023-3817),
| DH_check_pub_key() doesn't make any of these checks, and is
| therefore vulnerable for excessively large P and Q parameters.
| Likewise, while DH_generate_key() performs a check for an
| excessively large P, it doesn't check for an excessively large Q.
| An application that calls DH_generate_key() or DH_check_pub_key()
| and supplies a key or parameters obtained from an untrusted source
| could be vulnerable to a Denial of Service attack.
| DH_generate_key() and DH_check_pub_key() are also called by a number
| of other OpenSSL functions. An application calling any of those
| other functions may similarly be affected. The other functions
| affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(),
| and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey
| command line application when using the "-pubcheck" option, as well
| as the OpenSSL genpkey command line application. The OpenSSL
| SSL/TLS implementation is not affected by this issue. The OpenSSL
| 3.0 and 3.1 FIPS providers are not affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-5678
https://www.cve.org/CVERecord?id=CVE-2023-5678
[1] https://www.openssl.org/news/secadv/20231106.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.1.4-2
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Nov 2023 21:35:59 +0100
Source: openssl
Architecture: source
Version: 3.1.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1054546 1055473
Changes:
openssl (3.1.4-2) unstable; urgency=medium
.
* Invoke clean up from the openssl binary as a temporary workaround to avoid
a crash in libp11/SoftHSM engine (Closes: #1054546).
* CVE-2023-5678 (Excessive time spent in DH check / generation with large Q
parameter value) (Closes: #1055473).
* Upload to unstable.
Checksums-Sha1:
1b0652f324e199396cc8ac60a48fd18bbf2fdadf 2451 openssl_3.1.4-2.dsc
4ed805018c9ab749d2b7ef64c306ada1fac7b94b 71292 openssl_3.1.4-2.debian.tar.xz
Checksums-Sha256:
f41b51cae446ed23ae40a37e549c6d54c5fea32fb6949e005b78de2a815c3046 2451
openssl_3.1.4-2.dsc
f03e8920deaaff45e1415daf9fbc8cd0fdb10217feb6814ca14b87362317ecc8 71292
openssl_3.1.4-2.debian.tar.xz
Files:
3f14c1990bc5f12145231db2e3f6cbeb 2451 utils optional openssl_3.1.4-2.dsc
3f26a3ebe8aecafcbbbe17a579e44472 71292 utils optional
openssl_3.1.4-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmVib+cACgkQBWQfF1cS
+lvYSAv/ZuZvm570H6etdnrXZXOcQpKi7fyWhJViqHNiT5lQ7cyKa5NLiBT1IUcZ
n7itBsbhkJ0MlVEuVnwjhT5sQI3GBHvxbq6kVTIvrbkxxDnZjiyqP142pDKwMEWX
66XKtkfXKidmghBe/mRIwOGUTtjVWqL1pcvM8PrEtcFIwOOHcnLtPmygk5Hh9BPw
trwhy3Shj36+pG73MoYaOnf4G1GN7cERxvH9lKYEldZKIdWm1FSXLY3CGETN9oSZ
kCx9wBhYZyDmFwQKbSGY/lx3RCxObXvPBryfDmgNYGItr6NguAZQ984OvEySNZIg
9Zsa2vlpSZ94shgKJMuwNNAvtz0Opg+dNPoTGwNMzA090LoI8deS3FbLQGjI4baR
cmJkjdljycympflJpkgw90Gc4E14l8elsG147mCx9o8gXUI/dXumCk4ImPH8c0xT
yjzzJ1UeRL+QtU/l3sF2L9FjOZRvfu7gvD7c1CkAwUhtWVyQWVE9qDdEaWWPGLbp
cagRtjsc
=SgK/
-----END PGP SIGNATURE-----
--- End Message ---
