Package: openssl Version: 3.4.1-1 Severity: important Tags: security X-Debbugs-Cc: debian-powe...@lists.debian.org, zu...@debian.org, Debian Security Team <t...@security.debian.org> User: debian-powe...@lists.debian.org Usertags: ppc64el
Hello, The OpenSSL maintainers discovered a timing side channel vulnerability in OpenSSL's P-384 implementation when used with ECDSA. The PPC issue is discussed publicly here: https://github.com/openssl/openssl/issues/24253 and the generic issue is discussed here: https://github.com/openssl/openssl/issues/23860 PR link with fix - https://github.com/openssl/openssl/pull/26709 The last comment says - Merged to the master, 3.5, 3.4, 3.3 and 3.2 branches. Regards -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.12.17-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_USER Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=ca_ES:ca Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssl depends on: ii libc6 2.41-6 ii libssl3t64 3.4.1-1 openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20241223 -- no debconf information
