Your message dated Sat, 03 Feb 2024 17:20:03 +0000 with message-id <e1rwjgr-000fel...@fasolo.debian.org> and subject line Bug#1060347: fixed in openssl 3.1.5-1 has caused the Debian Bug report #1060347, regarding openssl: CVE-2023-6129 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1060347: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openssl Version: 3.1.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.0.11-1~deb12u2 Hi, The following vulnerability was published for openssl. CVE-2023-6129[0]: | Issue summary: The POLY1305 MAC (message authentication code) | implementation contains a bug that might corrupt the internal state | of applications running on PowerPC CPU based platforms if the CPU | provides vector instructions. Impact summary: If an attacker can | influence whether the POLY1305 MAC algorithm is used, the | application state might be corrupted with various application | dependent consequences. The POLY1305 MAC (message authentication | code) implementation in OpenSSL for PowerPC CPUs restores the | contents of vector registers in a different order than they are | saved. Thus the contents of some of these vector registers are | corrupted when returning to the caller. The vulnerable code is used | only on newer PowerPC processors supporting the PowerISA 2.07 | instructions. The consequences of this kind of internal application | state corruption can be various - from no consequences, if the | calling application does not depend on the contents of non-volatile | XMM registers at all, to the worst consequences, where the attacker | could get complete control of the application process. However | unless the compiler uses the vector registers for storing pointers, | the most likely consequence, if any, would be an incorrect result of | some application dependent calculations or a crash leading to a | denial of service. The POLY1305 MAC algorithm is most frequently | used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption | with associated data) algorithm. The most common usage of this AEAD | cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is | enabled on the server a malicious client can influence whether this | AEAD cipher is used. This implies that TLS server applications using | OpenSSL can be potentially impacted. However we are currently not | aware of any concrete application that would be affected by this | issue therefore we consider this a Low severity security issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-6129 https://www.cve.org/CVERecord?id=CVE-2023-6129 [1] https://www.openssl.org/news/secadv/20240109.txt Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openssl Source-Version: 3.1.5-1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1060...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Feb 2024 17:11:24 +0100 Source: openssl Architecture: source Version: 3.1.5-1 Distribution: unstable Urgency: medium Maintainer: Debian OpenSSL Team <pkg-openssl-de...@alioth-lists.debian.net> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1060347 1060858 1061582 Changes: openssl (3.1.5-1) unstable; urgency=medium . * Import 3.1.5 - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582). - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys) (Closes: #1060858). - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on PowerPC) (Closes: #1060347). Checksums-Sha1: 66815286f6607261eda487b4e20b3f2999d9c736 2451 openssl_3.1.5-1.dsc bae9e00477fb036e28f1c2e9a837fb6992823c57 15663524 openssl_3.1.5.orig.tar.gz 0d18a545508336877e72fa4ab17822f3aafd5f42 833 openssl_3.1.5.orig.tar.gz.asc dce9ec1bd9e8af63ca67a9badf608d0ba0fe397c 69824 openssl_3.1.5-1.debian.tar.xz Checksums-Sha256: 57b8018f770cfa4d68efb6ba1be0d8849a722de329425e2f37e2eba68b947f34 2451 openssl_3.1.5-1.dsc 6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262 15663524 openssl_3.1.5.orig.tar.gz 817a9db4196f2aa7dcb2d0775afaf83ec0eb372c865664c157345a4b0d3bc85b 833 openssl_3.1.5.orig.tar.gz.asc 2583bb40965003bcb7f922e80956e7a8a62c98b40e7586f6c34742c8de3c91fa 69824 openssl_3.1.5-1.debian.tar.xz Files: 79c7a2d29e3e9c5ee5798c0dc01c4dc0 2451 utils optional openssl_3.1.5-1.dsc 567235bf15ad72fcb9555e3b1c8ee4bc 15663524 utils optional openssl_3.1.5.orig.tar.gz c4876eb67699bc6e374388f1b6314d97 833 utils optional openssl_3.1.5.orig.tar.gz.asc e960fdf8395c157337b78684f7491758 69824 utils optional openssl_3.1.5-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmW+cUEACgkQBWQfF1cS +lup1QwAlJWjJbznBIwUc8wgKUcSdv/aH82D/RA+Md9CxL/Km0RabsCIR09nSTRA Z7kxYYKVr/4RZc77CjwVGCeeGrGpMTaD/EZ1aCsqcIRiKCmF4UZsL0b1PpOyGatF IkpdZ/Fqe4LNqPWMSW43yksTxdZT5aU5t3yzG2fH9chlxk+ym5quVWAAxvu8tOVC N0lWhiA6qQC6I3/tXti8hwg85XdRUwMXwqBuB+FLXqncq9pjNc/hcaI2YcFHVAhl xO/qqmdgY6OCdRse/zdYOj68w8uiYBOMsUm+J+F5d1REW42i8g8oQ/8P5pKnFnrd Sk+qK08uvq/1J5eShEX/1lRtqADQrw4BbHNMYynyVRfMAqnxxrltgDVZb+3jw8IF D5NenBigwQEbeeag8UfL5XDs5v3gVvSL3O+yc1LoNx6xoX9ZhNLbEebKd29xqM0x sXQgSvlm0+8AlfLnTXAcj+y8LV8sTSDMu692W71CKA5jZqlYAzQAKJm5fMvcNYpK E0Y9H6On =OF/Z -----END PGP SIGNATURE-----
--- End Message ---
