Your message dated Wed, 28 May 2025 21:06:20 +0000
with message-id <e1uknye-002mub...@fasolo.debian.org>
and subject line Bug#1106322: fixed in openssl 3.5.0-2
has caused the Debian Bug report #1106322,
regarding openssl: CVE-2025-4575
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106322
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openssl
Version: 3.5.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for openssl.
CVE-2025-4575[0]:
| Issue summary: Use of -addreject option with the openssl x509
| application adds a trusted use instead of a rejected use for a
| certificate. Impact summary: If a user intends to make a trusted
| certificate rejected for a particular use it will be instead marked
| as trusted for that use. A copy & paste error during minor
| refactoring of the code introduced this issue in the OpenSSL 3.5
| version. If, for example, a trusted CA certificate should be trusted
| only for the purpose of authenticating TLS servers but not for CMS
| signature verification and the CMS signature verification is
| intended to be marked as rejected with the -addreject option, the
| resulting CA certificate will be trusted for CMS signature
| verification purpose instead. Only users which use the trusted
| certificate format who use the openssl x509 command line application
| to add rejected uses are affected by this issue. The issues
| affecting only the command line application are considered to be Low
| severity. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are
| not affected by this issue. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1
| and 1.0.2 are also not affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4575
https://www.cve.org/CVERecord?id=CVE-2025-4575
[1] https://openssl-library.org/news/secadv/20250522.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.5.0-2
Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 28 May 2025 22:13:00 +0200
Source: openssl
Architecture: source
Version: 3.5.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Closes: 1106322 1106516
Changes:
openssl (3.5.0-2) unstable; urgency=medium
.
* Fix P-384 curve on lower-than-P9 PPC64 targets Closes: #1106516).
* CVE-2025-4575 ("The x509 application adds trusted use instead of
rejected use") (Closes: #1106322).
Checksums-Sha1:
b7861cc17b565bd1d76b0c1b7a0b9eb88f3d6aad 2637 openssl_3.5.0-2.dsc
a3707a41d4c26d5e5512ff0444ea5fcc4499b09f 51924 openssl_3.5.0-2.debian.tar.xz
Checksums-Sha256:
f40cac5c47c23869fdccd4ba9143227f763b4c0d9b79652be3ae631979408100 2637
openssl_3.5.0-2.dsc
654257ddd41e086c16d0c6c249cc700bd20a20409d5e1f49d72270268de5206e 51924
openssl_3.5.0-2.debian.tar.xz
Files:
a73d79c87c4647bbc8796fc019cff845 2637 utils optional openssl_3.5.0-2.dsc
2fdc3774039b820070cbf818398ae87a 51924 utils optional
openssl_3.5.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmg3dPwACgkQBWQfF1cS
+lv9UwwAhvILfkQO/IeMkHiQ7YBg7Wk/KMx8EsrtwJbctWdXyuBeMKHWp17g0Ykw
JoXddBPTw40MlZtO5+ClioYz5/PJURanRtFnbu9PAUq0YxdmLFcF2QLwGz14YXGH
UrMGuvUCK1RVWA+fjy9mh03tuYiA/NFtEzahRezrl3o250dsmQMQgyTIWVNISDhr
ZvdidZYVIdCs8iOHGqQmOYoXAaaQ/vRiyNT/8Donwg/4R9+OkN2GKiCDDjDvV76v
fGmSC00TggtnXsxb/dFJXsWGVAVRk5MVGZHJCfupF2p/CISW5RDxIpmyUanOVvad
1PzbVB969XfDdb4wO7JIrnOpPD2StFhu98y7IxXT0SFlNOS3HJSUJmKnVfjB5D9a
zf0dTIKp3SSznzNs8yDHNpyDBvHjZAu7uyUP/+PKFOv09JUhFn8TwvYP/1pns1Bc
QH3D2Ao9IMZOrj6K6NrobT/XOyttuCdQ5CVi98DC0EuyHwbbww878r/wjoOedRUA
clFw89Fo
=P8wK
-----END PGP SIGNATURE-----
pgpAzUcomSG3c.pgp
Description: PGP signature
--- End Message ---
