Your message dated Sat, 03 Feb 2024 17:20:40 +0000 with message-id <e1rwjh2-000fks...@fasolo.debian.org> and subject line Bug#1060347: fixed in openssl 3.2.1-1 has caused the Debian Bug report #1060347, regarding openssl: CVE-2023-6129 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1060347: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openssl Version: 3.1.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 3.0.11-1~deb12u2 Hi, The following vulnerability was published for openssl. CVE-2023-6129[0]: | Issue summary: The POLY1305 MAC (message authentication code) | implementation contains a bug that might corrupt the internal state | of applications running on PowerPC CPU based platforms if the CPU | provides vector instructions. Impact summary: If an attacker can | influence whether the POLY1305 MAC algorithm is used, the | application state might be corrupted with various application | dependent consequences. The POLY1305 MAC (message authentication | code) implementation in OpenSSL for PowerPC CPUs restores the | contents of vector registers in a different order than they are | saved. Thus the contents of some of these vector registers are | corrupted when returning to the caller. The vulnerable code is used | only on newer PowerPC processors supporting the PowerISA 2.07 | instructions. The consequences of this kind of internal application | state corruption can be various - from no consequences, if the | calling application does not depend on the contents of non-volatile | XMM registers at all, to the worst consequences, where the attacker | could get complete control of the application process. However | unless the compiler uses the vector registers for storing pointers, | the most likely consequence, if any, would be an incorrect result of | some application dependent calculations or a crash leading to a | denial of service. The POLY1305 MAC algorithm is most frequently | used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption | with associated data) algorithm. The most common usage of this AEAD | cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is | enabled on the server a malicious client can influence whether this | AEAD cipher is used. This implies that TLS server applications using | OpenSSL can be potentially impacted. However we are currently not | aware of any concrete application that would be affected by this | issue therefore we consider this a Low severity security issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-6129 https://www.cve.org/CVERecord?id=CVE-2023-6129 [1] https://www.openssl.org/news/secadv/20240109.txt Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openssl Source-Version: 3.2.1-1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of openssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1060...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated openssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Feb 2024 17:23:00 +0100 Source: openssl Architecture: source Version: 3.2.1-1 Distribution: experimental Urgency: medium Maintainer: Debian OpenSSL Team <pkg-openssl-de...@alioth-lists.debian.net> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1060347 1060858 1061582 Changes: openssl (3.2.1-1) experimental; urgency=medium . * Import 3.2.1 - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582). - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys) (Closes: #1060858). - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on PowerPC) (Closes: #1060347). Checksums-Sha1: 9c01be6f17b9d117f9692cf1bc7b7aff842404d7 2479 openssl_3.2.1-1.dsc 9668723d65d21a9d13e985203ce8c27ac5ecf3ae 17733249 openssl_3.2.1.orig.tar.gz 8b9dce0adc7650a309b0096f7e45dbfb53d543fe 833 openssl_3.2.1.orig.tar.gz.asc 0b817f0da477560033c3a9039c618b734fb0a7c5 66384 openssl_3.2.1-1.debian.tar.xz Checksums-Sha256: ce953fde497eade012a27af290bf78529435f64e8a15a9925fa98563dda5a42a 2479 openssl_3.2.1-1.dsc 83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 17733249 openssl_3.2.1.orig.tar.gz a394b4f5242feb8b828b398cbea809e07bb73e699ae0b84413efb8c5916361c1 833 openssl_3.2.1.orig.tar.gz.asc dd9f6961113b34d835f4ca6e2ae8efdd9fd2c221081426b9df5e8b428ab8b7fc 66384 openssl_3.2.1-1.debian.tar.xz Files: eb99c92168f433842c349fa577e9ebcc 2479 utils optional openssl_3.2.1-1.dsc c239213887804ba00654884918b37441 17733249 utils optional openssl_3.2.1.orig.tar.gz a3d1585772f9bde6d87e38d7475d2729 833 utils optional openssl_3.2.1.orig.tar.gz.asc b841348d4cb1a2b37a29321b6a38870d 66384 utils optional openssl_3.2.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmW+cT4ACgkQBWQfF1cS +luFcAwAspYMF0lSCXGGs7sGhkLs9/S2VIiuKApADPHdLk0rF7vmWryh2Mn/84pc i7tJei66/1r8NfStTHCugH+1e8X1DCAKzzjex/6poLglQmVj8f7zcwsgUQhv/5j1 npJNVGTkXm2pln6UrsqPGpa5J09b3/2hD4ipLUL9DaWPgTI2V4q85oIozwjwwcRI AOWDeYSXs8mZAFoq3oUC7omJU8g4t8Q+jwq0JG+DwBSd7AGH25uL6ivYARx0SeHo oN2g8AngeRKbxx9gEsRL37WHtkPRFL9v+tGtinEKVJ55nra45Hq5rF2MoZ+PwkST da++dD/vTxouZxNtYOG5dT8pNrFDsJ9xrJaqNhCTlQLx24QlkDcCYWGzjvrX6FJH Gni21tWnptIGNYbgmJu/wNyyvpPvtUcPlVXsWjJkFHF33uadIl/ssXSJ9dnxNjnD 5XBwp8Xp7QZu82vhZ1wm96Kpj4ugvun2kR7PsBCkO1NbimEBZxqAomQU7ctY7G+s 6OrEuluB =VYFw -----END PGP SIGNATURE-----
--- End Message ---
