On Sat, Jun 22, 2024 at 11:04:49AM +0000, Bastien Roucariès wrote: > Hi,
Hi Bastien, > After a few hours I get the impression that fixing CVE-2024-0914 even for > bookworm will be extremly hard (lack of constant time operation, massive code > change...) > > I suppose the best way is to a full bakport of unstable way to buster and for > ELTS to stretch/jessie > > What it your point of view about this ? after a quick look, backporting the latest openCryptoki to jessie might be more work than backporting the fixes to the version in jessie since you have to revert the OpenSSL API changes. The CVE is marked "<no-dsa> (Minor issue)" in (old)stable, and CVE-2022-4304 for the same issue is ignored in OpenSSL 1.0 in jessie and stretch. If backporting to older openCryptoki versions is not feasible, I'd suggest to ignore the CVE. > Bastien cu Adrian
