Your message dated Wed, 14 Feb 2018 13:00:12 +0000 with message-id <e1elwfu-000djt...@fasolo.debian.org> and subject line Bug#890288: fixed in mbedtls 2.7.0-1 has caused the Debian Bug report #890288, regarding mbedtls: CVE-2018-0487 - Risk of remote code execution when verifying RSASSA-PSS signatures to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mbedtls Version: 2.1.2-1 Severity: grave Tags: security https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 Vulnerability When RSASSA-PSS signature verification is enabled, sending a maliciously constructed certificate chain can be used to cause a buffer overflow on the peer's stack, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. RSASSA-PSS is the part of PKCS #1 v2.1 standard and can be enabled by the compile time option MBEDTLS_PKCS1_V21 in config.h. If MBEDTLS_PKCS1_V21 is disabled when compiling the library, then the vulnerability is not present. RSASSA-PSS signatures are enabled in the default configuration. Impact Depending on the platform, an attack exploiting this vulnerability could lead to an application crash or remote code execution. Resolution Affected users should upgrade to Mbed TLS 1.3.22, Mbed TLS 2.1.10 or Mbed TLS 2.7.0. Workaround Users should wherever possible upgrade to the newer version of Mbed TLS. Where this is not practical, users should consider if disabling the option MBEDTLS_PKCS1_V21 in the Mbed TLS configuration is practical for their application. Disabling RSASSA-PSS signatures in the verification profile at runtime is not a sufficient countermeasure.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: mbedtls Source-Version: 2.7.0-1 We believe that the bug you reported is fixed in the latest version of mbedtls, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James Cowgill <jcowg...@debian.org> (supplier of updated mbedtls package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 14 Feb 2018 09:25:58 +0000 Source: mbedtls Binary: libmbedtls-dev libmbedcrypto1 libmbedtls10 libmbedx509-0 libmbedtls-doc Architecture: source amd64 all Version: 2.7.0-1 Distribution: experimental Urgency: medium Maintainer: James Cowgill <jcowg...@debian.org> Changed-By: James Cowgill <jcowg...@debian.org> Description: libmbedcrypto1 - lightweight crypto and SSL/TLS library - crypto library libmbedtls-dev - lightweight crypto and SSL/TLS library - development files libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation libmbedtls10 - lightweight crypto and SSL/TLS library - tls library libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library Closes: 890287 890288 Changes: mbedtls (2.7.0-1) experimental; urgency=medium . * New upstream release. - Fixes CVE-2018-0488. (Closes: #890287) - Fixes CVE-2018-0487. (Closes: #890288) * Rename libmbedcrypto0 to libmbedcrypto1 due to SONAME bump. . * debian/compat: - Use debhelper compat 11. * debian/control: - Switch to salsa.debian.org Vcs URLs. - Bump standards version to 4.1.3. - Drop useless Testsuite field in debian/control. * debian/copyright: - Update copyright dates. * debian/libmbedtls-doc.*: - Fix various paths to work with the new documentation location used by debhelper 11. * debian/patches: - Refresh config patch. * debian/*.symbols: - Add symbols updates for libmbedtls10. - Rewrite symbols libmbedcrypto1 symbols file. Checksums-Sha1: a8d1f6702d69006801e97d778983033ec95c3a7d 2163 mbedtls_2.7.0-1.dsc 01ffebf679c8696cc941c41224fa73d8944d2c85 2108442 mbedtls_2.7.0.orig.tar.gz 057da4c0aefaeee4495fe54712976a6afe7788de 11332 mbedtls_2.7.0-1.debian.tar.xz ca6eebb2f885ad21a9b2510f98a6cc9688db673e 323092 libmbedcrypto1-dbgsym_2.7.0-1_amd64.deb f892d3210b1b9a80181a48af0f4241d739ee9d26 183096 libmbedcrypto1_2.7.0-1_amd64.deb 5469576c7fddd83484fc0e89298bb41507c3ec9f 424808 libmbedtls-dev_2.7.0-1_amd64.deb 3d6d244caab24bc77446409ce38692cf3faf7443 4541844 libmbedtls-doc_2.7.0-1_all.deb 3f9235c96d68374939704ee3b0542c932dd9b742 146500 libmbedtls10-dbgsym_2.7.0-1_amd64.deb 40b8e82b819a139974d2eab8d8c9a6ea7025a547 111456 libmbedtls10_2.7.0-1_amd64.deb 9cf84059179981c6cd135c469e6b7f923c57f357 61244 libmbedx509-0-dbgsym_2.7.0-1_amd64.deb aa5cfea1405a81cd21f58c22f04ce3f29ed74fa3 78536 libmbedx509-0_2.7.0-1_amd64.deb a609adfafc66959c5d948629ec17105e792a66ff 9833 mbedtls_2.7.0-1_amd64.buildinfo Checksums-Sha256: 1c9556d6bf22761b8ca982b365d7efefdb4428c84d6e67e8b192dde9b3d7250a 2163 mbedtls_2.7.0-1.dsc aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef 2108442 mbedtls_2.7.0.orig.tar.gz aecd74c56486f773c6a3dd452f2daa2c8e6eec05a2ed9032e252c2ce901a8a2c 11332 mbedtls_2.7.0-1.debian.tar.xz 3472bd95181aed7f1a5259837aa9a8cf3a8e0d67053d3756d8adc7eee87388eb 323092 libmbedcrypto1-dbgsym_2.7.0-1_amd64.deb 76dc79faeb0103278aa3e37d839273aaf920103d76590c32fc0006a9981f4695 183096 libmbedcrypto1_2.7.0-1_amd64.deb 3a87f81573fd5771936aee2848972bbf1c294f7b4d8464bd0b41cd42006b5dce 424808 libmbedtls-dev_2.7.0-1_amd64.deb 6c9c4a03ff2be8fb462770c219aa4c543d4cbde078e612f38c75802a8b511b8a 4541844 libmbedtls-doc_2.7.0-1_all.deb 1198f5d4003e1e78dbc7eb3399c59fc5a5ea6c90baa58cfae835e6edd494fc40 146500 libmbedtls10-dbgsym_2.7.0-1_amd64.deb dd3a7b442da338e20efb8cf86c5d4ae24f5b25a89884ead83773a79e399bc7da 111456 libmbedtls10_2.7.0-1_amd64.deb 4f968cfce8cc9b5be9c813cf66ead435210eb12e038a80326cbbffcf7b533fa7 61244 libmbedx509-0-dbgsym_2.7.0-1_amd64.deb 55c8e78f4e3cd6f1256b10b62c39320b90debf8cbcb8054aee5bd99a33d77305 78536 libmbedx509-0_2.7.0-1_amd64.deb ad360613d629cd03b9613f3c3c46c74310bf3633c913cbece79834cda7ad2dd0 9833 mbedtls_2.7.0-1_amd64.buildinfo Files: eefd509700d0672ce213ad19c44046a1 2163 libs optional mbedtls_2.7.0-1.dsc 0c2fc845da79b799c112e3ffdf6e75b4 2108442 libs optional mbedtls_2.7.0.orig.tar.gz ae6da759d8b24de1280a90150f98615b 11332 libs optional mbedtls_2.7.0-1.debian.tar.xz 3653c95c92a26861a1de4d6a2d757bf7 323092 debug optional libmbedcrypto1-dbgsym_2.7.0-1_amd64.deb 6900e633a0061e9df40518bad0c7d496 183096 libs optional libmbedcrypto1_2.7.0-1_amd64.deb 458cca9c6d3c87f9282749cefeeb4214 424808 libdevel optional libmbedtls-dev_2.7.0-1_amd64.deb eaf2f5c3a27784eba6a2b4af2c636b51 4541844 doc optional libmbedtls-doc_2.7.0-1_all.deb 35162614818f9a8ec521b5b670028193 146500 debug optional libmbedtls10-dbgsym_2.7.0-1_amd64.deb ec2b1ec55dfd3e44677f6e8acfa81155 111456 libs optional libmbedtls10_2.7.0-1_amd64.deb a9c72ee492ee960a44244cd041943ef8 61244 debug optional libmbedx509-0-dbgsym_2.7.0-1_amd64.deb cac0ba26c2bf5f5e055ffbf20363f569 78536 libs optional libmbedx509-0_2.7.0-1_amd64.deb 038fd1e80b608bfcb504102620f4d906 9833 libs optional mbedtls_2.7.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlqEDxIACgkQx/Fnbeot Ae868g//byhqmIbsF+/IBgszro59kpYTJZOfOXLEo6DxYpWsQbkZt5d6lyvLfSKC r1HUuyqVNj8F7SFK33sdC+HYfBLcbsrjP2BmGw5nwqt3rkPNUsDiGnJN6ICLL+nc yiQAe2IAtMNJlJ1kx6wPlefPzBx4UrFXt52WrMJSOd0uRlkAssoJx3bIZNoUdjRZ lApuhIO5I42ung6sfmZDHXSrcJB/K21fmfvyC7+kKaA2cvbMxcMAjP3KuE5PU0Lv 6t+zr/HuNl1CVZD/KHMPIsuEKCuCdOjaT3g3xCG3T42bvpikC9Dk6VLjsYniZecE j0Md74It+H/fkBl3+RPXWm42pt9cWTisB0RuevpW4noGeLUpw9h/R1/ePpkcCdqq B4JtnIoKBk6v/VwGdZGX9CRXw2RPMfgy8QiDLnhMjDdIoa4YYHwwwnFrfWTVb+V5 1szkETZEDZVhH8Jjc7BSUAJdAysSBI0XIZEAxx/ENeLF9TaEvKEWsQ70U1z9n1Be dQB5XMLUpbivh4gqBH/sZFsYi0Y9jdlGPW25Cu8QieE2K3/6TnzSmTOB9SaFG5rV m9i4nV6mlDvFIksmrPTY7kIg+lC1IPo6G3Qfo954JN+8RMKNrOmM8DPWriXLKTFK VGloJHp2v0aQlTmk3DKUSZ+/Gwb/HJItgTVg4eajCsos+9+DXDw= =4Q2m -----END PGP SIGNATURE-----
--- End Message ---
