-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 01 Mar 2019 16:25:39 +0100 Source: openssl Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg Architecture: source all amd64 Version: 1.0.1t-1+deb8u11 Distribution: jessie-security Urgency: high Maintainer: Debian OpenSSL Team <pkg-openssl-de...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information openssl - Secure Sockets Layer toolkit - cryptographic utility Changes: openssl (1.0.1t-1+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-1559: Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. . In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. Checksums-Sha1: 59d63557a4494f2db518991bb738fc2740ae6fbf 2427 openssl_1.0.1t-1+deb8u11.dsc 82bbf327e569a70c93c0e85e24cb1ad035905e83 116008 openssl_1.0.1t-1+deb8u11.debian.tar.xz 949e0d12c79dbac67d8b5372b880916213057fa3 1168000 libssl-doc_1.0.1t-1+deb8u11_all.deb 427ae9aecffd26b0b07092278413d89e1234b9e5 664632 openssl_1.0.1t-1+deb8u11_amd64.deb 97c268ee6d8b3abf24cbe01da4d80074d1887510 1046796 libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb c4e389464eedf035e9807b5f02141975b6f1c365 643474 libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb c4d6ec45ec2dd649c2648cfd73aa08dd053833c4 1284940 libssl-dev_1.0.1t-1+deb8u11_amd64.deb 504b2d0ba2f9d81d64a432e815b4a96df682e491 2819836 libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb Checksums-Sha256: 1b2ea8314ab20895989a9ca0c1f6a3244baf6e889f9e9563245083ab8525e710 2427 openssl_1.0.1t-1+deb8u11.dsc deaab80273c0a2928a3184576856cbaa37993130a1a938a22dca6d341ffc3deb 116008 openssl_1.0.1t-1+deb8u11.debian.tar.xz ee1d4cdfc57678ed2ba484b2975e28695fdd20c0a0144b2c1f4702978601c79d 1168000 libssl-doc_1.0.1t-1+deb8u11_all.deb c5424c87b93594ce2fdf19ae60eb955a3ed1b2f5518e98706460315e8e38a1c8 664632 openssl_1.0.1t-1+deb8u11_amd64.deb 793926fb2d9bd152cdf72551d9a36c83090e0f574dbe0063de1528465bf46479 1046796 libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb e049b747a8f73584f61b0a971f970b87cdf79ecd9aad8c6869a6283fe3d9bd08 643474 libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb 5c16fd8e8d300ade9456df6ed0e2dda33a0665550bc29dc7da4f22fc12686ea2 1284940 libssl-dev_1.0.1t-1+deb8u11_amd64.deb d666e920683fcd868fd45fcb595b0ce31afa5fd0fa398a2c71ce226aa7ac984c 2819836 libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb Files: e04299c1bd9b6c4db50bce0fbfc2af23 2427 utils optional openssl_1.0.1t-1+deb8u11.dsc 1f1c0a5cb858701b9da3983469b10eff 116008 utils optional openssl_1.0.1t-1+deb8u11.debian.tar.xz db028d465a4961addb74f220b8a03d6e 1168000 doc optional libssl-doc_1.0.1t-1+deb8u11_all.deb a865663fe2049f75c50117b33c6210e3 664632 utils optional openssl_1.0.1t-1+deb8u11_amd64.deb 988393d399c0c8776e0e05a505e68fe0 1046796 libs important libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb 4a93fdc96133b55b1bf4b73bebdf355e 643474 debian-installer optional libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb 83442579b3ec3e01116b8b8b574d1487 1284940 libdevel optional libssl-dev_1.0.1t-1+deb8u11_amd64.deb 6dc81e92c0a1ef8e8693f6bd5407b7dd 2819836 debug extra libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb Package-Type: udeb
-----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlx5m2NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkVU8QAMZ/AeA8wo89PQ8wL30Exrl8miDfwX9PPUOI Rqz3+5atE24Z74ktecnv+C9PDDj67hDRsyYCM7BTDtRzfnzNdjMJQVh3PNclbx8J GnV0FpCgE2wDhiBZQogBf4/Z8tA4QBB3WQvyg7Qox0rGLdwqU0UgJPuK+IiPNrzc WXgNvnpcnL68o72fZPv0Re1EhWORCfP9GWPvqGZA/lm4Ux9/otgj3oYfzKH8Pip9 5yIlqr5Ww5n4bzA5cBrhWdyaRy/WN6yOKGmvj8S1ZabeUWF6+ld9OUOMLmyxurlw 8Nx6rVRZ1LunDI0lNgaD1rmHbxmqAX+iLNP0d86jNzUPNKWQYgfYNXcJaz+CVVx+ 1NjGeOAQgNvNaiTEdIGJIWjxKpvTv3Y8hfCvBBFbsuvp/wvFVnxH54Ng+iUl1bju M6Oo0udRk1qcfYywVxX1/iYB3yAfEs7nWBTfgYbKzopwQCtDPqQUtMLGStEDnWiZ XBIrfWI9y1c828UxnbXznuKxz99zr6X3XZnzVqnrlCE8sDcBkcctTIfvlCo/Fdkw awWA54qOnJsT9CUjoFqBRR9daUM6O1tJ8G9QfHqHDKG2WkRH5nG2Va+dpRVadBO6 x98CRRaceR8QgY55WZo5svMNJZUI0K2k53Q2JocrgsmMI/hijD6yOnSxF4gE2XX2 uBtvwt+8 =/GmW -----END PGP SIGNATURE-----