Debian Bug report logs -
#901626
libtomcrypt: CVE-2018-12437
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Michael Stapelberg <stapelberg@debian.org>:
Bug#901626; Package src:libtomcrypt.
(Fri, 15 Jun 2018 19:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Michael Stapelberg <stapelberg@debian.org>.
(Fri, 15 Jun 2018 19:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libtomcrypt
Version: 1.18.1-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for libtomcrypt.
CVE-2018-12437[0]:
| LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on
| ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP.
| To discover an ECDSA key, the attacker needs access to either the local
| machine or a different virtual machine on the same physical host.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12437
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12437
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#901626; Package src:libtomcrypt.
(Fri, 15 Jun 2018 21:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Stapelberg <stapelberg@debian.org>:
Extra info received and forwarded to list.
(Fri, 15 Jun 2018 21:45:03 GMT) (full text, mbox, link).
Message #10 received at 901626@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Filed https://github.com/libtom/libtomcrypt/issues/407, let’s see when
upstream comes up with a patch.
On Fri, Jun 15, 2018 at 9:22 PM, Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Source: libtomcrypt
> Version: 1.18.1-1
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> The following vulnerability was published for libtomcrypt.
>
> CVE-2018-12437[0]:
> | LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on
> | ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP.
> | To discover an ECDSA key, the attacker needs access to either the local
> | machine or a different virtual machine on the same physical host.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-12437
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12437
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
--
Best regards,
Michael
[Message part 2 (text/html, inline)]
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 21 Jun 2018 17:30:04 GMT) (full text, mbox, link).
Reply sent
to Michael Stapelberg <stapelberg@debian.org>:
You have taken responsibility.
(Wed, 11 Jul 2018 16:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Jul 2018 16:24:04 GMT) (full text, mbox, link).
Message #19 received at 901626-close@bugs.debian.org (full text, mbox, reply):
Source: libtomcrypt
Source-Version: 1.18.2-1
We believe that the bug you reported is fixed in the latest version of
libtomcrypt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Stapelberg <stapelberg@debian.org> (supplier of updated libtomcrypt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 11 Jul 2018 17:55:41 +0200
Source: libtomcrypt
Binary: libtomcrypt-dev libtomcrypt1
Architecture: source
Version: 1.18.2-1
Distribution: unstable
Urgency: medium
Maintainer: Michael Stapelberg <stapelberg@debian.org>
Changed-By: Michael Stapelberg <stapelberg@debian.org>
Description:
libtomcrypt-dev - static library, header files and documentation for libtomcrypt
libtomcrypt1 - public domain open source cryptographic toolkit
Closes: 901626 903334
Changes:
libtomcrypt (1.18.2-1) unstable; urgency=medium
.
* New upstream version 1.18.2, containing fixes for
CVE-2018-12437
CVE-2018-0739
(Closes: #901626)
* debian/docs: README → README.md, remove TODO (Closes: #903334)
Checksums-Sha1:
11cdf66b0285313f3366e1e7a2c2bfb73418f88e 2059 libtomcrypt_1.18.2-1.dsc
55bd8c2015f39bba73aca13b5e4e37f44a292b3f 2638064 libtomcrypt_1.18.2.orig.tar.xz
d4cf1d3dd99ee0bbc2e6b3ced8e9a7fbd0a015fe 15380 libtomcrypt_1.18.2-1.debian.tar.xz
47e4507ef9e76f4256f1c6ac7e63146eb3e9e414 8677 libtomcrypt_1.18.2-1_amd64.buildinfo
Checksums-Sha256:
748f34b4bcd13ae16bae5356e0ed11fb4165c137de4661f5040b45506a76ab53 2059 libtomcrypt_1.18.2-1.dsc
96ad4c3b8336050993c5bc2cf6c057484f2b0f9f763448151567fbab5e767b84 2638064 libtomcrypt_1.18.2.orig.tar.xz
119d07663b3b479446019c2d08c6d63d229674ab2592afb089a81ca88b925410 15380 libtomcrypt_1.18.2-1.debian.tar.xz
fb75c2422a3a11e7c4c83f86274c2aa2893c4f1ea438d3ec6b43da0cd443ae0b 8677 libtomcrypt_1.18.2-1_amd64.buildinfo
Files:
5a33251468fcdc1940651d88a16e2881 2059 libs optional libtomcrypt_1.18.2-1.dsc
e8d22351b7c95bef423c1cd02dcf836d 2638064 libs optional libtomcrypt_1.18.2.orig.tar.xz
a23e6653cc268bcd37dde4d23028333a 15380 libs optional libtomcrypt_1.18.2-1.debian.tar.xz
5f044c58eab5d9e2d54f948374b42179 8677 libs optional libtomcrypt_1.18.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQk4U1wPnxtQ9nW82TnFg7UrI7h0FAltGKp8ACgkQTnFg7UrI
7h4IPhAAxbiwiXv0qO/AntCWjZ+9Ko+byeVCYeOet4luSxiUVvEoW77wdJyqwmK1
LBDUVi+pPAmfpyM8K5FTa5PEXjULFpIpjY8L/pRLvwN/QM6C+J95Zy7lFmWjUeSr
9s4dbLUkb3O5YrSxliNH1FGnz9SbUXnt17rZgaA0aAEejXbrTo7cu1P6bZo/4nNB
bLgNvn3QjdBiXDnDH9dHfQWmuXJXMigdF1hcn4Zq0cae1vnk01xpRT3lsbmqeP8I
/XZLSr8khDbw5PxwdbNia7XiqFIfbN8FYsInRex2bfQrz6iEP6IYWWYI31+C31Yj
3OrUb+Kv8xfSGIz/FuUhqyX+rxFtKF+s/EGQEHIjyFCyVTmb/H15XEe4QudrG73K
nK03TXKJP39TykKui/nq78UL0qk/YoEW7DYGHgNUAd8pEfNgrZSDJseEIO9JTKtH
OX3+aXWz84jGHmE27BTrGLM+ZEqEZtzLF4ZxtUw0yHOuZblGFNxKWvmTUyKefmrg
FW2XD9lpszL20u135UbDP5xOwzqg74OcgU92WuZFDHHJZSb3RU/iGYx3sFwBugRY
VelOVLYo/vrfdb5y7exaalnkDAvb0MMbH2dCFRWzH2wNlEtVt5ZjP2i58BY1ZcSk
vZLFr7/cg8DV/wP5aEy9MvfoAn8/8R2Vxht6+j2ygY9KHAhA5Eg=
=6P8x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 09 Aug 2018 07:26:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:22:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon