Your message dated Wed, 06 Feb 2013 20:47:46 +0000 with message-id <e1u3bue-0003na...@franck.debian.org> and subject line Bug#699887: fixed in polarssl 1.2.5-1 has caused the Debian Bug report #699887, regarding TLS timing attack in polarssl (Lucky 13) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 699887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: polarssl Severity: serious Tags: security Hi, Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ The problems are addressed in PolarSSL 1.2.5: https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released The generic protocol issue has been assigned CVE name CVE-2013-0169. The specific fix in PolarSSL is known as CVE-2013-1621 and CVE-2013-1622. Please mention these identifiers in the changelog. Can you see to it that this issue is addressed in unstable and testing? And are you available to create an update for stable-security? Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: polarssl Source-Version: 1.2.5-1 We believe that the bug you reported is fixed in the latest version of polarssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 699...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Stigge <sti...@antcom.de> (supplier of updated polarssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 06 Feb 2013 21:13:35 +0100 Source: polarssl Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0 Architecture: source amd64 Version: 1.2.5-1 Distribution: experimental Urgency: low Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: Roland Stigge <sti...@antcom.de> Description: libpolarssl-dev - lightweight crypto and SSL/TLS library libpolarssl-runtime - lightweight crypto and SSL/TLS library libpolarssl0 - lightweight crypto and SSL/TLS library Closes: 699887 Changes: polarssl (1.2.5-1) experimental; urgency=low . * New upstream release (Closes: #699887) * Fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw (Including CVE-2013-1621 and CVE-2013-1622) Checksums-Sha1: 9f78ea10a409e24172a9994b48ff2a96d153626b 1168 polarssl_1.2.5-1.dsc 84a703feaeb00cb5fba74a4aa7168e79128bbb19 980299 polarssl_1.2.5.orig.tar.gz 691db0473550ab4c19647f108b0d32b8cf1e82fc 4623 polarssl_1.2.5-1.debian.tar.gz bcf795a4dfc9ebaff921bf689a77ef03681f7b36 260672 libpolarssl-dev_1.2.5-1_amd64.deb 8eae07203ac92aaf3952733f743608f6dba162be 2504580 libpolarssl-runtime_1.2.5-1_amd64.deb 776f7dbe104363cf659b32cd20111da6700cec96 176186 libpolarssl0_1.2.5-1_amd64.deb Checksums-Sha256: ff471030814f5623f361e57b3746cdd261c1e2590495b9529832789c47b99493 1168 polarssl_1.2.5-1.dsc ee596851684faef5af124902a27abec0461b2311eee1aa9620d732f9ea4d124a 980299 polarssl_1.2.5.orig.tar.gz 41d65fe137a4d9832f85fa5a538430974ce5e34702aa519c9ef3a8a0f65ed2bf 4623 polarssl_1.2.5-1.debian.tar.gz 840671b8dcf70cc99fdd2e69873211ec3a20a765ab2d599a82cdc4bd024736e1 260672 libpolarssl-dev_1.2.5-1_amd64.deb 7be8270e0d0eaab69bbbe1046c2e470f0112ad60452ffc2ac0de68062a3d0f34 2504580 libpolarssl-runtime_1.2.5-1_amd64.deb 12bb5c8d6f79532768107b5ac536bd56fd7802d6531da91ce0199b5f17da292e 176186 libpolarssl0_1.2.5-1_amd64.deb Files: 00374f7a876898c2489403c6c775c5ec 1168 libs optional polarssl_1.2.5-1.dsc f42dd79cd85384ac9ad482caa665ac8f 980299 libs optional polarssl_1.2.5.orig.tar.gz 46d5b4c733993e7365e202f3538472a6 4623 libs optional polarssl_1.2.5-1.debian.tar.gz 3c89d7b0b857088e8b3a05fd91304458 260672 libdevel optional libpolarssl-dev_1.2.5-1_amd64.deb b6520d98316674c5ad9f930ad564da9b 2504580 libdevel optional libpolarssl-runtime_1.2.5-1_amd64.deb d043c57efdfe7e5603bb4f0fea83b576 176186 libs optional libpolarssl0_1.2.5-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFREr0pcaH/YBv43g8RAmr/AJ9Skt8Y2RgjiG4V0OXWrHAq6AlFQQCfTfmC AeIf/xxa+O5fgadSVE6SqgA= =FuZ8 -----END PGP SIGNATURE-----
--- End Message ---
