Your message dated Mon, 10 Apr 2017 18:00:17 +0000 with message-id <e1cxdbt-0009ql...@fasolo.debian.org> and subject line Bug#856114: fixed in wolfssl 3.10.2+dfsg-1 has caused the Debian Bug report #856114, regarding wolfssl: CVE-2017-6076 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 856114: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856114 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: wolfssl Version: 3.9.10+dfsg-1 Severity: grave Tags: upstream security patch fixed-upstream Hi, the following vulnerability was published for wolfssl. CVE-2017-6076[0]: | In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes | it easier to extract RSA key information for a malicious user who has | access to view cache on a machine. >From the release notes: Low level fix for potential cache attack on RSA operations. If using wolfSSL RSA on a server that other users can have access to monitor the cache, then it is recommended to update wolfSSL. Thanks to Andreas Zankl, Johann Heyszl and Georg Sigl at Fraunhofer AISEC for the initial report. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6076 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6076 [1] https://github.com/wolfSSL/wolfssl/commit/345df93978c41da1ac8047a37f1fed5286883d8d [2] https://github.com/wolfSSL/wolfssl/pull/674 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: wolfssl Source-Version: 3.10.2+dfsg-1 We believe that the bug you reported is fixed in the latest version of wolfssl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 856...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Lechner <felix.lech...@lease-up.com> (supplier of updated wolfssl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 08 Apr 2017 14:09:21 -0700 Source: wolfssl Binary: libwolfssl10 libwolfssl-dev Architecture: source armhf Version: 3.10.2+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Felix Lechner <felix.lech...@lease-up.com> Changed-By: Felix Lechner <felix.lech...@lease-up.com> Description: libwolfssl-dev - Development files for the wolfSSL encryption library libwolfssl10 - wolfSSL encryption library Closes: 856114 Changes: wolfssl (3.10.2+dfsg-1) unstable; urgency=medium . * New upstream release. * New major version is 10 * New maintainer email address * Fixes a low level vulnerability for buffer overflow when loading a malformed temporary DH file * Fixes a medium level vulnerability for processing of OCSP response * Fixes CVE-2017-6076, a low level vulnerability for a potential cache attack on RSA operations (Closes: #856114) * Enabled SHA-224 for all architectures, as advised by upstream Checksums-Sha1: c09e10bb6f4e66abe53a74083405627617cd763b 1554 wolfssl_3.10.2+dfsg-1.dsc cf39a667b6a51e38ef2d58952845b30075df44df 1530895 wolfssl_3.10.2+dfsg.orig.tar.gz 6b7623c80b0754f80016431bfecb0580a70de825 14228 wolfssl_3.10.2+dfsg-1.debian.tar.xz 6226201fb1e79dcdd173208c6742fd1fb29a5a58 460160 libwolfssl-dev_3.10.2+dfsg-1_armhf.deb e77d1857a1d6690805c53b658399ed21facd9a8d 840076 libwolfssl10-dbgsym_3.10.2+dfsg-1_armhf.deb 75b653c655a95e10b3d062cac5f4a5172c82e873 300220 libwolfssl10_3.10.2+dfsg-1_armhf.deb 88e7a762bbb492c5ffaeac0988bd90f200040357 5673 wolfssl_3.10.2+dfsg-1_armhf.buildinfo Checksums-Sha256: c5e33e1ec8522fe2bcd7d49dd425b00babc6119e13dc9955eee8c0e230c517ae 1554 wolfssl_3.10.2+dfsg-1.dsc d150ebd18b62e79be7dae0b4215272d853680f2adbfb51a192021a9be384f00b 1530895 wolfssl_3.10.2+dfsg.orig.tar.gz 370c6a10d7adffece007630a85d30a81081371190fd00ed9cf6501cae2e9d33f 14228 wolfssl_3.10.2+dfsg-1.debian.tar.xz e65f44c48e43d7604460afd627492cf0f8c7d130016297912edacf2fce4a3ec0 460160 libwolfssl-dev_3.10.2+dfsg-1_armhf.deb 48dca226f236bd4930a0db95a97a87446704cd885fd83fc344b5ff9daa378d49 840076 libwolfssl10-dbgsym_3.10.2+dfsg-1_armhf.deb 78420297f544ee62b637ff448add12dd26bfa409a1a44a52dde38736833ffdf3 300220 libwolfssl10_3.10.2+dfsg-1_armhf.deb 5f48edb5a93f4a47763b712eb6ec6608dbfa150f8bb1771dac3dfbd4365ff349 5673 wolfssl_3.10.2+dfsg-1_armhf.buildinfo Files: 07e174bf2bd0c4fb09629dc5ca36712d 1554 libs optional wolfssl_3.10.2+dfsg-1.dsc b8dbc5543dfc0c392388a1f631a7ce7f 1530895 libs optional wolfssl_3.10.2+dfsg.orig.tar.gz 5b476b4857b948f50ca9fbed21c100c6 14228 libs optional wolfssl_3.10.2+dfsg-1.debian.tar.xz 2777906e7bc1ae5fec7b791d3d6fd135 460160 libdevel optional libwolfssl-dev_3.10.2+dfsg-1_armhf.deb 42ad674f525cc210903e7cbd0ae64bba 840076 debug extra libwolfssl10-dbgsym_3.10.2+dfsg-1_armhf.deb ea481a07888cb2ed2ba596790a59a0a0 300220 libs optional libwolfssl10_3.10.2+dfsg-1_armhf.deb be629ad2fc474895cfbdaf9b33f22224 5673 libs optional wolfssl_3.10.2+dfsg-1_armhf.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE/Zzi2Nd1S3irJ5u9LDtDb+rGgQEFAljpcHsACgkQLDtDb+rG gQEsGAf9Hfc0GznEdtkf9GM0PsSAJZnxKYB3Kv/d7t/HX8beVa5g97rkgsI0/ObJ p2c2kPLLSZbwOHRchOkpWOiZIaFA8BxI+PqCDVO/e4O9W/L7aYo3e5NJzGOUgoKe PiyujbsRib7e1qPylQ0QavKEhrtiqq9UuaG9cgy8ygbIdDrGPvCs4QIY1NHCunht 3TLfzMiAUlzYlcg9TfSWsMEN93NlNDgHQnP4luzKiK6BfwkktSSVBu8+RDfhOfO1 9iz9uQtg35cW76sxaDi1i0ZISggye8zExalcwrWu31bcecDcxyir1qm3GPAVdqov SmG/AdzRAenfyiG95CYIphN04HwQEA== =nmcb -----END PGP SIGNATURE-----
--- End Message ---
