Your message dated Thu, 07 Feb 2013 21:32:47 +0000 with message-id <e1u3z5l-0003z2...@franck.debian.org> and subject line Bug#699887: fixed in polarssl 1.1.4-2 has caused the Debian Bug report #699887, regarding TLS timing attack in polarssl (Lucky 13) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 699887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: polarssl Severity: serious Tags: security Hi, Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ The problems are addressed in PolarSSL 1.2.5: https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released The generic protocol issue has been assigned CVE name CVE-2013-0169. The specific fix in PolarSSL is known as CVE-2013-1621 and CVE-2013-1622. Please mention these identifiers in the changelog. Can you see to it that this issue is addressed in unstable and testing? And are you available to create an update for stable-security? Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: polarssl Source-Version: 1.1.4-2 We believe that the bug you reported is fixed in the latest version of polarssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 699...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Stigge <sti...@antcom.de> (supplier of updated polarssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 07 Feb 2013 22:08:26 +0100 Source: polarssl Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0 Architecture: source amd64 Version: 1.1.4-2 Distribution: unstable Urgency: high Maintainer: Roland Stigge <sti...@antcom.de> Changed-By: Roland Stigge <sti...@antcom.de> Description: libpolarssl-dev - lightweight crypto and SSL/TLS library libpolarssl-runtime - lightweight crypto and SSL/TLS library libpolarssl0 - lightweight crypto and SSL/TLS library Closes: 699887 Changes: polarssl (1.1.4-2) unstable; urgency=high . * Security fix for CVE-2013-0169: Lucky 13 TLS protocol timing flaw including CVE-2013-1621 and CVE-2013-1622, backported from upstream diff from 1.2.4 to 1.2.5. (Closes: #699887) Checksums-Sha1: 0ceeecc6928708ddf74bb44265bad12924689879 1174 polarssl_1.1.4-2.dsc 4c25d337b584bcb26ad418b43079ce70128e1f94 5849 polarssl_1.1.4-2.debian.tar.gz 0aa5b67d60a2918f7355ee7eab616aad74a4006a 206866 libpolarssl-dev_1.1.4-2_amd64.deb aaeaa2f91c185bebc1dfb0e834ec7664a9488ac1 1944546 libpolarssl-runtime_1.1.4-2_amd64.deb eb9de163c3dc7a8e93225db1115e5f89ea251691 142912 libpolarssl0_1.1.4-2_amd64.deb Checksums-Sha256: 36e70fcdeb68c86c7260c2a71dcb7f0a2eaa03fb7053967b5515bcf940dd2959 1174 polarssl_1.1.4-2.dsc bd1de8901201e1b26a6306ddb17616652bc80f5e47b4adc3d3cba63b80bc5733 5849 polarssl_1.1.4-2.debian.tar.gz 97ff477e462545a51671849c4eb85f9953a529aea3ce50522d4c2865e724dbcb 206866 libpolarssl-dev_1.1.4-2_amd64.deb 00f9071ab31f1e39c2b99866f167c5e94e659a613c64cf87b8c2ab88e6786bd0 1944546 libpolarssl-runtime_1.1.4-2_amd64.deb 95595fee55cfcb52eb32af0fbe0a9823e202b946c7b1bef2993cf6bb75d97f38 142912 libpolarssl0_1.1.4-2_amd64.deb Files: f79178372844636920a7d9a92e50e580 1174 libs optional polarssl_1.1.4-2.dsc 22871443cc0256937a8de1fcecf1d130 5849 libs optional polarssl_1.1.4-2.debian.tar.gz 59327ef471269ff056b9cd0603229979 206866 libdevel optional libpolarssl-dev_1.1.4-2_amd64.deb eed5ee8d290e0dd37596c14c5727bb5a 1944546 libdevel optional libpolarssl-runtime_1.1.4-2_amd64.deb 4cf74101610259a5380747441493459d 142912 libs optional libpolarssl0_1.1.4-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRFBpOcaH/YBv43g8RAry0AJ0Qf9+Ko5/L+Nei6Ufo5kq5LZK99wCgvJD0 UZn6nIxM2EfKc1qM3VGjLY8= =ISr+ -----END PGP SIGNATURE-----
--- End Message ---
