Your message dated Wed, 9 Apr 2025 21:37:32 +0200
with message-id <[email protected]>
and subject line Re: [Pkg-openssl-devel] Bug#1101730: openssl: ppc64el:
upstream fixed Minerva timing side-channel signal for ECC p384
has caused the Debian Bug report #1101730,
regarding openssl: ppc64el: upstream fixed Minerva timing side-channel signal
for ECC p384
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101730
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssl
Version: 3.4.1-1
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], [email protected], Debian
Security Team <[email protected]>
User: [email protected]
Usertags: ppc64el
Hello,
The OpenSSL maintainers discovered a timing side channel vulnerability in
OpenSSL's P-384 implementation when used with ECDSA. The PPC issue is
discussed publicly here: https://github.com/openssl/openssl/issues/24253 and
the generic issue is discussed here:
https://github.com/openssl/openssl/issues/23860
PR link with fix - https://github.com/openssl/openssl/pull/26709
The last comment says - Merged to the master, 3.5, 3.4, 3.3 and 3.2 branches.
Regards
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.17-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=ca_ES:ca
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssl depends on:
ii libc6 2.41-6
ii libssl3t64 3.4.1-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20241223
-- no debconf information
--- End Message ---
--- Begin Message ---
Source-Version: 3.5.0~~beta1-1
On 2025-03-31 11:02:20 [+0200], Hector Oron Martinez wrote:
> The OpenSSL maintainers discovered a timing side channel vulnerability
> in OpenSSL's P-384 implementation when used with ECDSA. The PPC issue
> is discussed publicly here:
> https://github.com/openssl/openssl/issues/24253 and the generic issue
> is discussed here: https://github.com/openssl/openssl/issues/23860
>
> PR link with fix - https://github.com/openssl/openssl/pull/26709
>
> The last comment says - Merged to the master, 3.5, 3.4, 3.3 and 3.2 branches.
The powerpc thing has been addressed as of
080c6be0b1029 ("Fix Minerva timing side-channel signal for P-384 curve
on PPC")
therefore closing.
Not sure what happend to the "generic" issue but it appears that the
issues were closed without action.
> Regards
Sebastian
--- End Message ---
