Your message dated Thu, 05 Jun 2025 16:05:19 +0000
with message-id <[email protected]>
and subject line unblock libcrypt-openssl-rsa-perl
has caused the Debian Bug report #1107322,
regarding unblock: libcrypt-openssl-rsa-perl/0.35-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libcrypt-openssl-rsa-perl
User: [email protected]
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package libcrypt-openssl-rsa-perl.
libcrypt-openssl-rsa-perl is a key package, otherwise it would
already have migrated.
0.35-1 fixes a security issue which was considered "minor" by the
security team for bookworm/bullseye/buster but both them and we would
like to see the fix in trixie nevertheless:
https://bugs.debian.org/1066969
"CVE-2024-2467: vulnerable to the Marvin Attack"
https://security-tracker.debian.org/tracker/CVE-2024-2467
"A timing-based side-channel flaw exists in the
perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover
plaintext across a network in a Bleichenbacher-style attack. To
achieve successful decryption, an attacker would have to be able to
send a large number of trial messages. The vulnerability affects the
legacy PKCS#1v1.5 RSA encryption padding mode."
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/pull/58
"Disable PKCS#1 v1.5 padding"
The package passes all tests and checks and the excuses page is
happy. It also has been in unstable for 4 weeks without any reported
issues. Neither have any new issues been reported upstream:
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues
The complete debdiff looks a bit long, as there are unfortunately all
kinds of documentation changes, upstream build and test tweaks, or
changes for other operating systems involved. (Attached as
libcrypt-openssl-rsa-perl_0.35-1.diff.gz.)
I went through all commits, and there are actually just two bug fixes
which seem relevant and both are 2-line code changes: Attached as
0001-*.patch
Cheers,
gregor
unblock libcrypt-openssl-rsa-perl/0.35-1
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmhBrxVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ/2RAApYQZE/vR+13Q46Busbcc+o2/Rmgw15GIUuKSzo4OyoX+1sqbpZTiJ3Ov
p4bF7O2uKYR12YQXZgegJa5ZrbfbK/T/vB8WnZe0dpZTf+C2UXSgXhW7r1o5blfQ
/0TI4OnEbLD1tio5wwSe0JaeS8Tut3hxRa0D+8M4NQx+p4aO49djrntj2rvYCCN7
vN6y15euRYvY/YwUsNR0BQATn3CNiCTBkcXvUnTts+uYibm8BwOehs2R/AY5ueZ8
7uya7VB/pvkgqPA056dPjO1Zk0wWCW/RnHUe1XiiMO59S/L1Ny7UFc5Cne3PttEQ
59iFMpi/FoyNwuWG78hpcyigw5OhKb+cnYtyRYQv5Am82lwKtvKH5LLw09yc7qyv
gEnX0GTVfL/FwgfETam/BJ0M+Ip9455NZXpFz9I8RvAwvijttJWNGrovlJ5TLrxR
zWzrwvf1XzI8uGPsMGVUTbsbMPmVQY714GBCuapvlxyYKG695HJmtuxfNlkRALrf
A3AsJx8OpKFGZUGbDlo/FvkQdNKApVHWzL8jxYR/w03p8O1xqh3RpJegCEifnM6y
Tc6tliqeFH3eQQMrqplihupXSN70+taod3xW+aHHfL3u43eH3CNRz0xXvZpk+qpH
PNU2PmkuclPEGEm9dUb2zSB2uNfVQ+NcjwTgWXEK5mx/XsU2U7c=
=JKy/
-----END PGP SIGNATURE-----
libcrypt-openssl-rsa-perl_0.35-1.diff.gz
Description: application/gzip
0001-Pass-NULL-to-EVP_PKEY_CTX_new_from_pkey-not-a-random.patch
Description: application/mbox
0001-Disable-PKCS-1-v1.5-padding.patch
Description: application/mbox
--- End Message ---
--- Begin Message ---
Unblocked libcrypt-openssl-rsa-perl.
--- End Message ---
