Your message dated Tue, 01 Nov 2022 21:22:51 +0000 with message-id <e1opyih-00gukk...@fasolo.debian.org> and subject line Bug#1021620: fixed in openssl 3.0.7-1 has caused the Debian Bug report #1021620, regarding openssl: CVE-2022-3358 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1021620: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021620 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openssl Version: 3.0.5-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.0.5-2 Hi, The following vulnerability was published for openssl. CVE-2022-3358[0]: | OpenSSL supports creating a custom cipher via the legacy | EVP_CIPHER_meth_new() function and associated function calls. This | function was deprecated in OpenSSL 3.0 and application authors are | instead encouraged to use the new provider mechanism in order to | implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly | handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), | EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as | other similarly named encryption and decryption initialisation | functions). Instead of using the custom cipher directly it incorrectly | tries to fetch an equivalent cipher from the available providers. An | equivalent cipher is found based on the NID passed to | EVP_CIPHER_meth_new(). This NID is supposed to represent the unique | NID for a given cipher. However it is possible for an application to | incorrectly pass NID_undef as this value in the call to | EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL | encryption/decryption initialisation function will match the NULL | cipher as being equivalent and will fetch this from the available | providers. This will succeed if the default provider has been loaded | (or if a third party provider has been loaded that offers this | cipher). Using the NULL cipher means that the plaintext is emitted as | the ciphertext. Applications are only affected by this issue if they | call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in | a call to an encryption/decryption initialisation function. | Applications that only use SSL/TLS are not impacted by this issue. | Fixed in OpenSSL 3.0.6 (Affected 3.0.0-3.0.5). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3358 https://www.cve.org/CVERecord?id=CVE-2022-3358 [1] https://www.openssl.org/news/secadv/20221011.txt Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openssl Source-Version: 3.0.7-1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1021...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 01 Nov 2022 21:39:01 +0100 Source: openssl Architecture: source Version: 3.0.7-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSL Team <pkg-openssl-de...@alioth-lists.debian.net> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1021620 Changes: openssl (3.0.7-1) unstable; urgency=medium . * Import 3.0.7 - Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358) (Closes: #1021620). - X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602). - X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786). * Disable rdrand engine (the opcode on x86). * Remove config bits for MIPS R6, the generic MIPS config can be used. Checksums-Sha1: ba889faa1beaff73d5b1367c197e41057e221f65 2601 openssl_3.0.7-1.dsc f20736d6aae36bcbfa9aba0d358c71601833bf27 15107575 openssl_3.0.7.orig.tar.gz 7b4c50ff27fadda7680a985ae2e6b5716f092e56 858 openssl_3.0.7.orig.tar.gz.asc 91c232746d02b5b7a61fe60f4a311edde53f7320 74992 openssl_3.0.7-1.debian.tar.xz Checksums-Sha256: 96e332e50ec17be6f623ef2c77c6146f2dd8418e4b1fe918db0b27798c0e9087 2601 openssl_3.0.7-1.dsc 83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e 15107575 openssl_3.0.7.orig.tar.gz 18be1d820b25ed5c7d8efe4fdba0b947925273ca114bbd78faecbd99a52df203 858 openssl_3.0.7.orig.tar.gz.asc a43f0c9aa8756629d8d34c3e9f41f5bed85672c7a4b6110d3f65a5edf5d3b89b 74992 openssl_3.0.7-1.debian.tar.xz Files: 3e370c40b180045e6ebf1c0e8de2f61c 2601 utils optional openssl_3.0.7-1.dsc 545478ce41b96bf3beacb4dc58b36c77 15107575 utils optional openssl_3.0.7.orig.tar.gz 8cf6d88be580b37f4af4ea25424f4d2a 858 utils optional openssl_3.0.7.orig.tar.gz.asc e76b322b86cff266889d259d198a3436 74992 utils optional openssl_3.0.7-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmNhhA0ACgkQe5boFiqM 9dG95hAAw3IUeGT0QmRi4ONF3Sz13eYM0x80k8ZnACXWNC1a82d1/dNZm0oTC7iI 8C0AMT7Ke2AHK6iHPybkaS9zMpYKbTcLLOsJGifuuTEhMns+OGIOmK+p1lGXC2OO s75TKNrm3ypjU9mIwRmerWqv3SicQKcOHDagpmxno68aUhuo6WEqbIoyYJpUvAb3 Wn1iJGAt6r8bQM/tUgFNuHo44Cs9end2/EUO7AdMlHf6Y10yafzn4W9xaBHZ/24j xWKthoMj/rUe/RVhPX4Grp282XnYGzkMy7cVnlRnxhmTC64IE8FeocnIZLkX8NYR faL8/12Xwiq52/i+Q2VAk17jVoOi3qbQ5heHbXIFCYeliDAc3AjcHjxMDhZWkvzy DBj8rypqccf8JLdEiHKKpU/tbrWWCUxKanBRiCNYt74IDogrsfgkrYRnkntJI+x+ FbcnCvajDkXCxbjBa9d5xVUn6Dzsu6jKbJC9lhbY9CtSbciZAbMvLC0RPMb07xMX w6DNzrp9elldJIBBGfpulDM82Zg8rg/FvXoNVDD7KfYUIVYqIOex+N4hsTRVYuDJ MIKhLMIgPWE2jk3MHtqoZBQ2ZKWEqAkxau6sbba+J1FFHIQbTyL8Muhbg72b81Xk BS5JoRTHKe9Lv0qcQ6sQlfGTex++qQaSYuvpJuZq3rKKA1tlupY= =dEHG -----END PGP SIGNATURE-----
--- End Message ---
