openssl: CVE-2014-0076

Debian Bug report logs - #742923
openssl: CVE-2014-0076

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssl: CVE-2014-0076

Date: Fri, 28 Mar 2014 20:29:42 -0400

package: src:openssl
severity: important
version: 1.0.1e-2

A CVE has been issued for an information disclosure in openssl:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076

Best wishes,
Mike

Message #12 received at 742923@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>

To: Michael Gilbert <mgilbert@debian.org>, 742923@bugs.debian.org

Subject: Re: [Pkg-openssl-devel] Bug#742923: openssl: CVE-2014-0076

Date: Sat, 29 Mar 2014 15:53:20 +0100

On Fri, Mar 28, 2014 at 08:29:42PM -0400, Michael Gilbert wrote:
> package: src:openssl
> severity: important
> version: 1.0.1e-2
> 
> A CVE has been issued for an information disclosure in openssl:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076

This affects all version of openssl, but I guess we don't support
0.9.8 anymore and last time I looked upstream didn't fix it in
that branch yet.  As already discussed with the security team
we'll fix this in a stable release update.


Kurt

Message #21 received at 742923-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 742923-submitter@bugs.debian.org

Subject: closing 742923

Date: Tue, 08 Apr 2014 20:16:43 +0200

close 742923 1.0.1g-1
thanks

This is fixed with the 1.0.1g-1 upload, closing the bug with this version.

Message #26 received at 742923-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 742923-close@bugs.debian.org

Subject: Bug#742923: fixed in openssl 1.0.1e-2+deb7u7

Date: Fri, 18 Apr 2014 17:47:05 +0000

Source: openssl
Source-Version: 1.0.1e-2+deb7u7

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 17 Apr 2014 22:11:33 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all i386
Version: 1.0.1e-2+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 libcrypto1.0.0-udeb - crypto shared library - udeb (udeb)
 libssl-dev - SSL development libraries, header files and documentation
 libssl-doc - SSL development documentation documentation
 libssl1.0.0 - SSL shared libraries
 libssl1.0.0-dbg - Symbol tables for libssl and libcrypto
 openssl    - Secure Socket Layer (SSL) binary and related cryptographic tools
Closes: 742923 744141 744194 744871
Changes: 
 openssl (1.0.1e-2+deb7u7) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2010-5298: use-after-free race condition.
   * Add a versioned dependency from openssl to libssl1.0.0 to a version
     that has the fix for CVE-2014-0160 (Closes: #744194).
   * Propose restarting prosody on upgrade (Closes: #744871).
   * Correctly detect apache2 installations and propose it to be
     restarted (Closes: #744141).
   * Add more services to be checked for restart.
   * Fix a bug where the critical flag for TSA extended key usage is not
     always detected, and two other similar cases.
   * Add support for 'libraries/restart-without-asking', which allows
     services to be restarted automatically without prompting, or
     requiring a response instead.
   * Fix CVE-2014-0076: "Yarom/Benger FLUSH+RELOAD Cache Side-channel Attack"
     (Closes: #742923).
Checksums-Sha1: 
 7275c7456f65a48bfa2d67c6d1cdc36001efe6f4 1574 openssl_1.0.1e-2+deb7u7.dsc
 945ad6b2a9080ff3ac2266d30aa6a34e910e12c2 101840 openssl_1.0.1e-2+deb7u7.debian.tar.gz
 7257a22e76c198a8513d922eddb1fcc21ca12bce 1202778 libssl-doc_1.0.1e-2+deb7u7_all.deb
 8d525fcc766c95dc997bb61c51e2f528a2e5122a 692226 openssl_1.0.1e-2+deb7u7_i386.deb
 7440b2664b0d5c43661e0f4d55cd33e591b1f5c9 3033174 libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
 4e942b020904367f6032285a6f720d0cda2916fe 597400 libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
 94aadb1609243d9a5733f50de7622d65e99e09d7 1595580 libssl-dev_1.0.1e-2+deb7u7_i386.deb
 54f15c264e209ab6d84e150c0e44e27897a9cf24 7568334 libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Checksums-Sha256: 
 f1ed9cd1d0b8289e21ce58a184aa2149e7e859c56ef9e4670f2884d601667184 1574 openssl_1.0.1e-2+deb7u7.dsc
 22d089220db222f8fc3897e0257e9f8bc6eb601cd3348fd948a3b6b25bf27b12 101840 openssl_1.0.1e-2+deb7u7.debian.tar.gz
 90effe95308fb1d690947437557defeb21e37eaa6e4dba3a42c937a46f581e73 1202778 libssl-doc_1.0.1e-2+deb7u7_all.deb
 a0744a71ecf793d4ccef94b533cf582373dfdf88ef09ccdcfd96a77249c607a1 692226 openssl_1.0.1e-2+deb7u7_i386.deb
 c686a88ac39f559a479c9efe86f6351be6f74fec97d120a620f654439dcb0877 3033174 libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
 3e9577f1d723b3230f2ab8d35deb2fa787c2e31528a40a20cdadb6432c4be1ae 597400 libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
 a6d40acbee402220edb2f4b13d2a03710649b9279c2965fa88274ed8a2a055e0 1595580 libssl-dev_1.0.1e-2+deb7u7_i386.deb
 e7c3f124516c8d6386043dbe5c8903c2654966ccb7b871d1c5ba0ab24cec6203 7568334 libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Files: 
 669e64f6d964e4fa8035c9e99c12b5bc 1574 utils optional openssl_1.0.1e-2+deb7u7.dsc
 b342b401bace5fc10f873accb31b068e 101840 utils optional openssl_1.0.1e-2+deb7u7.debian.tar.gz
 30a4693de737d2506c20ecce604def20 1202778 doc optional libssl-doc_1.0.1e-2+deb7u7_all.deb
 b934c10a85f17e2568068fbeaf459b01 692226 utils optional openssl_1.0.1e-2+deb7u7_i386.deb
 774e3e6dfa17bd9f4d0e621c955bf60c 3033174 libs important libssl1.0.0_1.0.1e-2+deb7u7_i386.deb
 92b0e3b8ac79e5c5d62d7e63a83dee9d 597400 debian-installer optional libcrypto1.0.0-udeb_1.0.1e-2+deb7u7_i386.udeb
 f478cd6431fc277884f9e364728cb3ce 1595580 libdevel optional libssl-dev_1.0.1e-2+deb7u7_i386.deb
 b7577ef210f8e022e7a836365096b016 7568334 debug extra libssl1.0.0-dbg_1.0.1e-2+deb7u7_i386.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlNQSDUACgkQYy49rUbZzlp14gCfbBRsML25oYAznG84HvKeR0PY
0dsAn234JfLjkp3jNs7olBlZpVOsehcz
=mFNV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.