[Git][security-tracker-team/security-tracker][master] change status of CVE-2018-0734 in Jessie

Mon, 19 Nov 2018 07:08:41 -0800 

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6a2c032e by Thorsten Alteholz at 2018-11-19T14:56:23Z
change status of CVE-2018-0734 in Jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -51673,13 +51673,18 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm 
has been shown to be vulner
 CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be 
vulnerable to ...)
        - openssl <unfixed>
        [stretch] - openssl <postponed> (Wait for next DSA and upstream release)
-       [jessie] - openssl <not-affected> (vulnerable code not present)
+       [jessie] - openssl <postponed> (vulnerable code not present, but see 
note below)
        - openssl1.0 <unfixed>
        [stretch] - openssl1.0 <postponed> (Wait for next DSA and upstream 
release)
        NOTE: https://www.openssl.org/news/secadv/20181030.txt
        NOTE: OpenSSL_1_1_1-stable: 
https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
        NOTE: OpenSSL_1_1_0-stable: 
https://git.openssl.org/?p=openssl.git;a=commit;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
        NOTE: OpenSSL_1_0_2-stable: 
https://git.openssl.org/?p=openssl.git;a=commit;h=43e6a58d4991a451daf4891ff05a48735df871ac
+       NOTE: Actually the version in Jessie is not vulnerable. Nevertheless 
there is a bug fix which
+       NOTE: futher reduces the amount of leaked timing information. It got no 
CVE on its own and
+       NOTE: introduced this vulnerability. In order to not forget this issue 
and probably get more
+       NOTE: information about it later, it is marked as <postponed> instead 
of <not-affected>
+       NOTE: 
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=b96bebacfe814deb99fb64a3ed2296d95c573600
 CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp 
function is ...)
        - openssl 1.1.0h-1 (unimportant)
        [stretch] - openssl 1.1.0f-3+deb9u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a2c032eb658a1667d469eb63b133bcba3748b2a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a2c032eb658a1667d469eb63b133bcba3748b2a
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to