Your message dated Fri, 15 Feb 2013 12:17:11 +0000
with message-id <[email protected]>
and subject line Bug#699887: fixed in polarssl 0.12.1-1squeeze1
has caused the Debian Bug report #699887,
regarding TLS timing attack in polarssl (Lucky 13)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
699887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: polarssl
Severity: serious
Tags: security

Hi,

Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/

The problems are addressed in PolarSSL 1.2.5:
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

The generic protocol issue has been assigned CVE name CVE-2013-0169. The 
specific fix in PolarSSL is known as CVE-2013-1621 and CVE-2013-1622. Please 
mention these identifiers in the changelog.

Can you see to it that this issue is addressed in unstable and testing? And 
are you available to create an update for stable-security?


Cheers,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 0.12.1-1squeeze1

We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Stigge <[email protected]> (supplier of updated polarssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 07 Feb 2013 22:17:00 +0100
Source: polarssl
Binary: libpolarssl-dev
Architecture: source amd64
Version: 0.12.1-1squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Roland Stigge <[email protected]>
Changed-By: Roland Stigge <[email protected]>
Description: 
 libpolarssl-dev - lightweight crypto and SSL/TLS library
Closes: 699887
Changes: 
 polarssl (0.12.1-1squeeze1) stable-security; urgency=low
 .
   * Security fix for CVE-2013-0169: Lucky 13 TLS protocol timing flaw
     including CVE-2013-1621 and CVE-2013-1622, backported from upstream
     diff from 1.2.4 to 1.2.5. (Closes: #699887)
Checksums-Sha1: 
 4d591f82c8e25734d847e007d2b83deec994e175 1030 polarssl_0.12.1-1squeeze1.dsc
 31a85ae0b1365de5575e4f7b3c982bd14de0870b 335160 polarssl_0.12.1.orig.tar.gz
 12a187070bef9528f086c84532d8ba3cf231226b 4362 polarssl_0.12.1-1squeeze1.diff.gz
 4bb595e33d583c07c61b81c48b5883967a228c36 260808 
libpolarssl-dev_0.12.1-1squeeze1_amd64.deb
Checksums-Sha256: 
 4d20b29acb053ae452fdf6d8b3ee776419ec88b2ac1e6c23205350c0f9fdba2f 1030 
polarssl_0.12.1-1squeeze1.dsc
 4bd79758b22e04b653e3e825847e3c72b4aab51685fa2acdb6fe00431c8bb8f3 335160 
polarssl_0.12.1.orig.tar.gz
 d5e31f1d7b3b4fa6251f626be8f1aaff5fc4e7f22f6c441b4c02278f4887cf4a 4362 
polarssl_0.12.1-1squeeze1.diff.gz
 c69bf1b7d79e70ac9b02ce227a8adca78da52039afc6ad65635c34d3f553ecd4 260808 
libpolarssl-dev_0.12.1-1squeeze1_amd64.deb
Files: 
 1ecbad3f05b475c9bf4e301508c4600f 1030 libs optional 
polarssl_0.12.1-1squeeze1.dsc
 08bc85a19bbe65493076b9968b421e80 335160 libs optional 
polarssl_0.12.1.orig.tar.gz
 30eff016a99d2d9407558833c2ced7b6 4362 libs optional 
polarssl_0.12.1-1squeeze1.diff.gz
 fa31f8ebfd87669c1f7b38f91d89e7ec 260808 libdevel optional 
libpolarssl-dev_0.12.1-1squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRF5dBcaH/YBv43g8RAlE8AJ9AVA8kEFpos75/ciukbHyU5Q47kACg6C4d
l6DafxdwNDmVc5shZnPlAJ0=
=rfPd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to