Your message dated Tue, 11 Feb 2025 21:25:23 +0000
with message-id <e1thxkx-005kg1...@fasolo.debian.org>
and subject line Bug#1095765: fixed in openssl 3.4.1-1
has caused the Debian Bug report #1095765,
regarding openssl: CVE-2024-12797
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1095765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095765
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: openssl
Version: 3.4.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for openssl.
CVE-2024-12797[0]:
| Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to
| authenticate a server may fail to notice that the server was not
| authenticated, because handshakes don't abort as expected when the
| SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and
| DTLS connections using raw public keys may be vulnerable to man-in-
| middle attacks when server authentication failure is not detected by
| clients. RPKs are disabled by default in both TLS clients and TLS
| servers. The issue only arises when TLS clients explicitly enable
| RPK use by the server, and the server, likewise, enables sending of
| an RPK instead of an X.509 certificate chain. The affected clients
| are those that then rely on the handshake to fail when the server's
| RPK fails to match one of the expected public keys, by setting the
| verification mode to SSL_VERIFY_PEER. Clients that enable server-
| side raw public keys can still find out that raw public key
| verification failed by calling SSL_get_verify_result(), and those
| that do, and take appropriate action, are not affected. This issue
| was introduced in the initial implementation of RPK support in
| OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not
| affected by this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-12797
https://www.cve.org/CVERecord?id=CVE-2024-12797
[1] https://openssl-library.org/news/secadv/20250211.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.4.1-1
Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1095...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 11 Feb 2025 21:30:30 +0100
Source: openssl
Architecture: source
Version: 3.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <pkg-openssl-de...@alioth-lists.debian.net>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Closes: 1092307 1094027 1095765
Changes:
openssl (3.4.1-1) unstable; urgency=medium
.
* Import 3.4.1
- CVE-2024-12797 (RFC7250 handshakes with unauthenticated servers don't
abort as expected) (Closes: #1095765).
- CVE-2024-13176 (Timing side-channel in ECDSA signature computation)
(Closes: #1094027).
- Compile on LoongArch again (Closes: #1092307).
Checksums-Sha1:
66acc877eea89a76ace764d4f9f0cac9c01e9a13 2808 openssl_3.4.1-1.dsc
d3469baf41823a28ad71aae12b2fbb9fe3b19a0d 18346056 openssl_3.4.1.orig.tar.gz
3fc7c15a0580dc691ee7024602d0d065a2c40b32 833 openssl_3.4.1.orig.tar.gz.asc
2446d6fb7bf0e7d97be2b2d2125e27593b6c4e5f 50548 openssl_3.4.1-1.debian.tar.xz
Checksums-Sha256:
850f658197e44d13882b13929b04008c18e2f643ca2781eda180b5f288cb5699 2808
openssl_3.4.1-1.dsc
002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3 18346056
openssl_3.4.1.orig.tar.gz
488c2d4051d5d27b1c0f9d21fd717630e0a2e1b82216875b2fb0fceeb0e8ea5a 833
openssl_3.4.1.orig.tar.gz.asc
ffd963c2e742809bedb03a9416e64426c585ec987fd6e3b5c3a1eed4d9fc882d 50548
openssl_3.4.1-1.debian.tar.xz
Files:
c2587af22b08b668becf4c6952fc4e60 2808 utils optional openssl_3.4.1-1.dsc
fb7a747ac6793a7ad7118eaba45db379 18346056 utils optional
openssl_3.4.1.orig.tar.gz
543c69bafc1e9c48736fed6f19f4d1c9 833 utils optional
openssl_3.4.1.orig.tar.gz.asc
106b7c608964edeca6ce6b5e3daa8320 50548 utils optional
openssl_3.4.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmervBMACgkQe5boFiqM
9dFuNRAApTctlB6ETYzamDTvETocHHxO6ePs6g85/I0AkwbVKfw/FvEdYEqseF/y
TfTR1ASvOR8vlzu50YF1fYe9+Nf+gR7LJQ3lpbFLW4jBMuRkIpK6fdX+9nubqf2j
O43LHtUHV+RCZ7pFRYSXV8KytXHYVqEnrdHWiLkMF65IZO2oDysip9ohxhNU9/+C
mi+XTWDXmqonnm0DOUIw21AtaTaX371HS2AHL4wNLBXKXxdbXvXEkEsYy2kWU8Ql
3bbfhVr3KoYNTMCXKCgpZ1aGgglyY1e+a2KeORVI+inDF/YKM6f+ZKOEgMxbyUTE
ddwj4Y/rMvJNO8VmZurwq0MxVMI36yoSHNQD7yAY0nmdFj3d7Cu8YR9H2knyR6Tg
1GyAsr4YDE8FPlASUycOsiWz11DRDDz+xwHaMkVaVl/IhRZy+/p+tTo7c9yRvuSB
YDJqBOFwomrL+KolCZq4qVUKuG5wN6TVuYd4acVo619wZsb1Uy80RKn5kgPk2JNo
F1UOQjHDBjV+llBLtYUMR/+VzLFGncCTPWvrTwdQl3UhWap6svAdV/BsmEtavs8V
Z+NjKBGmnu8l2MURzXw+QaWhejXigrtmSEnG+kukYG/n+LvJkLCU/fplxYNvlyDx
QwspnARelSY/BmPj1+bKN70hDfRYK9bz3fdXPfxeE0ME0fuqYaM=
=OeAb
-----END PGP SIGNATURE-----
pgpGpig5Fymyt.pgp
Description: PGP signature
--- End Message ---
