Debian Bug report logs - #699889
several issues in Security Advisory 5 Feb 2013

version graph

Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>; Source for openssl is src:openssl.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Wed, 6 Feb 2013 11:03:02 UTC

Severity: serious

Tags: security

Found in version openssl/0.9.8o-4

Fixed in versions openssl/1.0.1e-1, 0.9.8o-4squeeze14

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#699889; Package openssl. (Wed, 06 Feb 2013 11:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 06 Feb 2013 11:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: several issues in Security Advisory 5 Feb 2013
Date: Wed, 6 Feb 2013 11:59:18 +0100
[Message part 1 (text/plain, inline)]
Package: openssl
Severity: serious
Tags: security

Hi,

Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
(http://www.openssl.org/news/secadv_20130205.txt):

 SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
 TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)
 OCSP invalid key DoS issue (CVE-2013-0166)

Can you see to it that these are addressed in unstable and testing, and also 
prepare an update to stable-security?


Thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#699889; Package openssl. (Thu, 07 Feb 2013 19:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Thu, 07 Feb 2013 19:09:06 GMT) Full text and rfc822 format available.

Message #10 received at 699889@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Thijs Kinkhorst <thijs@debian.org>, 699889@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#699889: several issues in Security Advisory 5 Feb 2013
Date: Thu, 7 Feb 2013 20:04:29 +0100
On Wed, Feb 06, 2013 at 11:59:18AM +0100, Thijs Kinkhorst wrote:
> Package: openssl
> Severity: serious
> Tags: security
> 
> Hi,
> 
> Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
> (http://www.openssl.org/news/secadv_20130205.txt):
> 
>  SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
>  TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)

It seems people are having issues with this patch.  commit
125093b59f3c2a2d33785b5563d929d0472f1721 is the problematic
commit, but is also the one that fixes both CVEs as far
as I can tell.

I understand that 1.0 isn't affected, so 0.9.8 probably also
isn't.

I might be able to fix the 2nd one by disabling the AES-NI
part.

>  OCSP invalid key DoS issue (CVE-2013-0166)

I don't see this as being urgent.

So I'm waiting upstream to fix the 1.0.1d version before
uploading to unstable.  I think I'll also wait to see
if this applies to other versions or not.


Kurt




Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Mon, 11 Feb 2013 19:06:08 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Mon, 11 Feb 2013 19:06:08 GMT) Full text and rfc822 format available.

Message #15 received at 699889-close@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: 699889-close@bugs.debian.org
Subject: Bug#699889: fixed in openssl 1.0.1e-1
Date: Mon, 11 Feb 2013 19:02:40 +0000
Source: openssl
Source-Version: 1.0.1e-1

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699889@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 11 Feb 2013 19:39:44 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1e-1
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description: 
 libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl-doc - SSL development documentation documentation
 libssl1.0.0 - SSL shared libraries
 libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 699889
Changes: 
 openssl (1.0.1e-1) unstable; urgency=high
 .
   * New upstream version (Closes: #699889)
     - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
     - Drop renegiotate_tls.patch, applied upstream
     - Export new CRYPTO_memcmp symbol, update symbol file
   * Add ssltest_no_sslv2.patch so that "make test" works.
Checksums-Sha1: 
 22e2c2c0a1a85956b734c89d648a76fbfed2f8bc 2200 openssl_1.0.1e-1.dsc
 3f1b1223c9e8189bfe4e186d86449775bd903460 4459777 openssl_1.0.1e.orig.tar.gz
 e17c70318951e57e39edb14fea1388366e980a90 90244 openssl_1.0.1e-1.debian.tar.gz
 9c12adcb2e48bc61c949ef5ac61994dc86a7bbf7 1199882 libssl-doc_1.0.1e-1_all.deb
 3158d5d5f4d35eb4d8c73f94d00dbc4db7eac18a 698936 openssl_1.0.1e-1_amd64.deb
 e4c3322e64f4f2b5c30254d41eecd1a2c47d3154 1218866 libssl1.0.0_1.0.1e-1_amd64.deb
 e67b410520c84c3906805f4c37f1cd5aae3a6913 603588 libcrypto1.0.0-udeb_1.0.1e-1_amd64.udeb
 1a8bf475a2572f8ec62f538c279882d493fcb0ec 1705006 libssl-dev_1.0.1e-1_amd64.deb
 764f1b48720249122b172d6c2531aaa1584b2337 3015276 libssl1.0.0-dbg_1.0.1e-1_amd64.deb
Checksums-Sha256: 
 d4fdd58217ca555f34a9fed748d86a379eb9902824c5e5c9229ec65e45abb59a 2200 openssl_1.0.1e-1.dsc
 f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 4459777 openssl_1.0.1e.orig.tar.gz
 c7e3b4bb396a98328c5404e44415ec78e7bb032d726d6ed0e3234b5f45300186 90244 openssl_1.0.1e-1.debian.tar.gz
 4d5a29dfccbd0058b1c9fe5fd2fc7758c85c38a33bab14048d318bb76a4b965d 1199882 libssl-doc_1.0.1e-1_all.deb
 2c0698c04a92039e25032a7d2f7098135e555cfd82764e7b9f3f2f1ae084e724 698936 openssl_1.0.1e-1_amd64.deb
 283421e4f8b9c4ea6a08a3ab4cf44b934ce974b914f84dc9426e43eef0432584 1218866 libssl1.0.0_1.0.1e-1_amd64.deb
 d62d35cb15b287fcf4dc31d99fa3810c8d5919320dbf19321b14482554264d4d 603588 libcrypto1.0.0-udeb_1.0.1e-1_amd64.udeb
 745a2c50c3b4684ecc698e87ac192ebcbcca059be9825fc1b67909855d3bf264 1705006 libssl-dev_1.0.1e-1_amd64.deb
 dddd577057c922ed67c62aeab7098e9cb52eb973607b01f5cd336f4f5463b8fb 3015276 libssl1.0.0-dbg_1.0.1e-1_amd64.deb
Files: 
 d0052cfd83910cf681760936b99c7285 2200 utils optional openssl_1.0.1e-1.dsc
 66bf6f10f060d561929de96f9dfe5b8c 4459777 utils optional openssl_1.0.1e.orig.tar.gz
 4d58a6f4013f732c7fa610865c4c6d9b 90244 utils optional openssl_1.0.1e-1.debian.tar.gz
 5af67dcdf92f72d2f065ee1c7719f25e 1199882 doc optional libssl-doc_1.0.1e-1_all.deb
 bd63f54fbb483e05f1ef601aea25c86b 698936 utils optional openssl_1.0.1e-1_amd64.deb
 39b388c28169928dea56a54a300f779a 1218866 libs important libssl1.0.0_1.0.1e-1_amd64.deb
 914c286bd97a215056ee344b1346a594 603588 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-1_amd64.udeb
 04cf5b8095500306014bb76a6b307bdd 1705006 libdevel optional libssl-dev_1.0.1e-1_amd64.deb
 b8efa3b264f086a3ba758a2ffc13d08b 3015276 debug extra libssl1.0.0-dbg_1.0.1e-1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRGT9YAAoJEKGfLDAaVSLdQecP/1Ns65as18xQh3sTkQ2AOaPv
TV82LWnUQkSvfS8RSvjaMx5m2zHHkzkpBOvT4ZnvOuS5cOs38uTZqh+CxeoafbVt
+zoQ0dp6WQ1uTCLV5qkiJGWEhyXdboVb4BwFy8Gx6LSQvVaCxw8xZgSvId7M1MRX
I7jpDqnLRJoxADgX8WCiS4AAoSRX1x/o+R6SgnwCZJcZ0cYhzQb6yi34/Yx1F3Yr
2VYe78rMXypW0e3tIOwzyH+AuFP6IuBc+qOi4pe1ykPHgGK9eesAzcWqTFUkL7Kb
hmWEUiFSsNG1WfPK2LWpoATnREigsDK0QU7FehXzRX3L/rLaqQ1GxN30yHbNLON8
NKuetpykVlyOGwHemey+GdYY9Vbx478N/0Uf8qM8iuwvVTYys44PSAmxQT7lA2oo
iB1x26SSyMWSjged1Z6c4Lb/iJgHQHBo7Fbk6hcispscXv1k2O2E6HhR1sFBzR+m
j9xKFPNIh+ttGWCEIHHrc0NJgSNybsfjGQeigqhS1OKsBCfZHznbPuHe5mM8qTVk
A/GqsnQacPnSJo/kUcFrm+qTXg1FooWld/XzhKfKwDbQhCDQbrLT1th0jZ7pS2AU
qsbXbxvnbMUxn5s/U9/9SmrnrfZCkU83zu7Uc2GRIna5/52FmXtVPUvwqWgPsi+r
7o7Rh0UOW7uaL2qcAjw8
=iatw
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#699889; Package openssl. (Mon, 11 Feb 2013 21:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kurt Roeckx <kurt@roeckx.be>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Mon, 11 Feb 2013 21:09:03 GMT) Full text and rfc822 format available.

Message #20 received at 699889@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Thijs Kinkhorst <thijs@debian.org>, 699889@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#699889: several issues in Security Advisory 5 Feb 2013
Date: Mon, 11 Feb 2013 22:08:11 +0100
On Wed, Feb 06, 2013 at 11:59:18AM +0100, Thijs Kinkhorst wrote:
> 
> Hi,
> 
> Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
> (http://www.openssl.org/news/secadv_20130205.txt):
> 
>  SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
>  TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)
>  OCSP invalid key DoS issue (CVE-2013-0166)
> 
> Can you see to it that these are addressed in unstable and testing, and also 
> prepare an update to stable-security?

I've uploaded 0.9.8o-4squeeze14 to squeeze-security


Kurt




Marked as found in versions openssl/0.9.8o-4. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Tue, 12 Feb 2013 06:24:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>:
Bug#699889; Package openssl. (Wed, 27 Feb 2013 01:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bob Bib <bobbibmpn@mail.ru>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>. (Wed, 27 Feb 2013 01:15:03 GMT) Full text and rfc822 format available.

Message #27 received at 699889@bugs.debian.org (full text, mbox):

From: Bob Bib <bobbibmpn@mail.ru>
To: 699889@bugs.debian.org
Cc: Kurt Roeckx <kurt@roeckx.be>
Subject: Re: [Pkg-openssl-devel] Bug#699889: several issues in Security Advisory 5 Feb 2013
Date: Wed, 27 Feb 2013 05:09:43 +0400
Hi Kurt,

> I've uploaded 0.9.8o-4squeeze14 to squeeze-security

openssl/1.0.1e-1 changelog states the following:
* New upstream version (Closes: #699889)
     - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166

Meanwhile, openssl/0.9.8o-4squeeze14 changelog consist of the following line:
* Fix CVE-2013-0166 and CVE-2013-0169

Thus, I have 2 questions:
1) is CVE-2012-2686 also fixed in openssl/0.9.8o-4squeeze14?
2) should bug#699889 be marked as fixed in openssl/0.9.8o-4squeeze14?

Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Wed, 27 Feb 2013 08:15:04 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Wed, 27 Feb 2013 08:15:04 GMT) Full text and rfc822 format available.

Message #32 received at 699889-done@bugs.debian.org (full text, mbox):

From: Kurt Roeckx <kurt@roeckx.be>
To: Bob Bib <bobbibmpn@mail.ru>
Cc: 699889-done@bugs.debian.org
Subject: Re: [Pkg-openssl-devel] Bug#699889: several issues in Security Advisory 5 Feb 2013
Date: Wed, 27 Feb 2013 09:12:18 +0100
Version: 0.9.8o-4squeeze14

On Wed, Feb 27, 2013 at 05:09:43AM +0400, Bob Bib wrote:
> Hi Kurt,
> 
> > I've uploaded 0.9.8o-4squeeze14 to squeeze-security
> 
> openssl/1.0.1e-1 changelog states the following:
> * New upstream version (Closes: #699889)
>      - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
> 
> Meanwhile, openssl/0.9.8o-4squeeze14 changelog consist of the following line:
> * Fix CVE-2013-0166 and CVE-2013-0169
> 
> Thus, I have 2 questions:
> 1) is CVE-2012-2686 also fixed in openssl/0.9.8o-4squeeze14?

CVE-2012-2686 does not affect the 0.9.8 branch, or 1.0.0 branch.
The AES-NI support is new in 1.0.1.

> 2) should bug#699889 be marked as fixed in openssl/0.9.8o-4squeeze14?

Yes, doing so now.


Kurt




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 28 Mar 2013 07:38:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:23:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.