Debian Bug report logs -
#742923
openssl: CVE-2014-0076
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Sat, 29 Mar 2014 00:33:02 UTC
Severity: important
Tags: security
Found in version openssl/1.0.1e-2
Fixed in versions openssl/1.0.1g-1, openssl/1.0.1e-2+deb7u7
Done: Raphael Geissert <geissert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#742923
; Package src:openssl
.
(Sat, 29 Mar 2014 00:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 29 Mar 2014 00:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:openssl
severity: important
version: 1.0.1e-2
A CVE has been issued for an information disclosure in openssl:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
Best wishes,
Mike
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 29 Mar 2014 07:00:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
:
Bug#742923
; Package src:openssl
.
(Sat, 29 Mar 2014 14:57:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Kurt Roeckx <kurt@roeckx.be>
:
Extra info received and forwarded to list. Copy sent to Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
.
(Sat, 29 Mar 2014 14:57:16 GMT) (full text, mbox, link).
Message #12 received at 742923@bugs.debian.org (full text, mbox, reply):
On Fri, Mar 28, 2014 at 08:29:42PM -0400, Michael Gilbert wrote:
> package: src:openssl
> severity: important
> version: 1.0.1e-2
>
> A CVE has been issued for an information disclosure in openssl:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
This affects all version of openssl, but I guess we don't support
0.9.8 anymore and last time I looked upstream didn't fix it in
that branch yet. As already discussed with the security team
we'll fix this in a stable release update.
Kurt
Marked as fixed in versions openssl/1.0.1g-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 08 Apr 2014 18:18:16 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 08 Apr 2014 18:18:17 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>
:
Bug acknowledged by developer.
(Tue, 08 Apr 2014 18:18:18 GMT) (full text, mbox, link).
Message sent on
to Michael Gilbert <mgilbert@debian.org>
:
Bug#742923.
(Tue, 08 Apr 2014 18:18:21 GMT) (full text, mbox, link).
Message #21 received at 742923-submitter@bugs.debian.org (full text, mbox, reply):
close 742923 1.0.1g-1
thanks
This is fixed with the 1.0.1g-1 upload, closing the bug with this version.
Reply sent
to Raphael Geissert <geissert@debian.org>
:
You have taken responsibility.
(Fri, 18 Apr 2014 17:51:17 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>
:
Bug acknowledged by developer.
(Fri, 18 Apr 2014 17:51:17 GMT) (full text, mbox, link).
Message #26 received at 742923-close@bugs.debian.org (full text, mbox, reply):
Source: openssl
Source-Version: 1.0.1e-2+deb7u7
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 17 Apr 2014 22:11:33 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all i386
Version: 1.0.1e-2+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
libssl-dev - SSL development libraries, header files and documentation
libssl-doc - SSL development documentation documentation
libssl1.0.0 - SSL shared libraries
libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
openssl - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 742923 744141 744194 744871
Changes:
openssl (1.0.1e-2+deb7u7) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2010-5298: use-after-free race condition.
* Add a versioned dependency from openssl to libssl1.0.0 to a version
that has the fix for CVE-2014-0160 (Closes: #744194).
* Propose restarting prosody on upgrade (Closes: #744871).
* Correctly detect apache2 installations and propose it to be
restarted (Closes: #744141).
* Add more services to be checked for restart.
* Fix a bug where the critical flag for TSA extended key usage is not
always detected, and two other similar cases.
* Add support for 'libraries/restart-without-asking', which allows
services to be restarted automatically without prompting, or
requiring a response instead.
* Fix CVE-2014-0076: "Yarom/Benger FLUSH+RELOAD Cache Side-channel Attack"
(Closes: #742923).
Checksums-Sha1:
7275c7456f65a48bfa2d67c6d1cdc36001efe6f4 1574 openssl_1.0.1e-2+deb7u7.dsc
945ad6b2a9080ff3ac2266d30aa6a34e910e12c2 101840 openssl_1.0.1e-2+deb7u7.debian.tar.gz
7257a22e76c198a8513d922eddb1fcc21ca12bce 1202778 libssl-doc_1.0.1e-2+deb7u7_all.deb
8d525fcc766c95dc997bb61c51e2f528a2e5122a 692226 openssl_1.0.1e-2+deb7u7_i386.deb
7440b2664b0d5c43661e0f4d55cd33e591b1f5c9 3033174 libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
4e942b020904367f6032285a6f720d0cda2916fe 597400 libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
94aadb1609243d9a5733f50de7622d65e99e09d7 1595580 libssl-dev_1.0.1e-2+deb7u7_i386.deb
54f15c264e209ab6d84e150c0e44e27897a9cf24 7568334 libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Checksums-Sha256:
f1ed9cd1d0b8289e21ce58a184aa2149e7e859c56ef9e4670f2884d601667184 1574 openssl_1.0.1e-2+deb7u7.dsc
22d089220db222f8fc3897e0257e9f8bc6eb601cd3348fd948a3b6b25bf27b12 101840 openssl_1.0.1e-2+deb7u7.debian.tar.gz
90effe95308fb1d690947437557defeb21e37eaa6e4dba3a42c937a46f581e73 1202778 libssl-doc_1.0.1e-2+deb7u7_all.deb
a0744a71ecf793d4ccef94b533cf582373dfdf88ef09ccdcfd96a77249c607a1 692226 openssl_1.0.1e-2+deb7u7_i386.deb
c686a88ac39f559a479c9efe86f6351be6f74fec97d120a620f654439dcb0877 3033174 libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
3e9577f1d723b3230f2ab8d35deb2fa787c2e31528a40a20cdadb6432c4be1ae 597400 libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
a6d40acbee402220edb2f4b13d2a03710649b9279c2965fa88274ed8a2a055e0 1595580 libssl-dev_1.0.1e-2+deb7u7_i386.deb
e7c3f124516c8d6386043dbe5c8903c2654966ccb7b871d1c5ba0ab24cec6203 7568334 libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Files:
669e64f6d964e4fa8035c9e99c12b5bc 1574 utils optional openssl_1.0.1e-2+deb7u7.dsc
b342b401bace5fc10f873accb31b068e 101840 utils optional openssl_1.0.1e-2+deb7u7.debian.tar.gz
30a4693de737d2506c20ecce604def20 1202778 doc optional libssl-doc_1.0.1e-2+deb7u7_all.deb
b934c10a85f17e2568068fbeaf459b01 692226 utils optional openssl_1.0.1e-2+deb7u7_i386.deb
774e3e6dfa17bd9f4d0e621c955bf60c 3033174 libs important libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
92b0e3b8ac79e5c5d62d7e63a83dee9d 597400 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
f478cd6431fc277884f9e364728cb3ce 1595580 libdevel optional libssl-dev_1.0.1e-2+deb7u7_i386.deb
b7577ef210f8e022e7a836365096b016 7568334 debug extra libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlNQSDUACgkQYy49rUbZzlp14gCfbBRsML25oYAznG84HvKeR0PY
0dsAn234JfLjkp3jNs7olBlZpVOsehcz
=mFNV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 18 Jul 2014 07:27:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:40:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.