Debian Bug report logs -
#904821
mbedtls: CVE-2018-0497, CVE-2018-0498: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
Reported by: James Cowgill <jcowgill@debian.org>
Date: Sat, 28 Jul 2018 10:15:01 UTC
Severity: grave
Tags: security, upstream
Found in version mbedtls/2.1.2-1
Fixed in versions mbedtls/2.12.0-1, mbedtls/2.4.2-1+deb9u3
Done: James Cowgill <jcowgill@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org:
Bug#904821; Package src:mbedtls.
(Sat, 28 Jul 2018 10:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to James Cowgill <jcowgill@debian.org>:
New Bug report received and forwarded.
(Sat, 28 Jul 2018 10:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security upstream
This security advisory was published for mbedTLS. All versions since 1.2
are affected.
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
CVE-2018-0497:
Remote plaintext recovery on use of CBC based ciphersuites through a
timing side-channel
CVE-2018-0498:
Plaintext recovery on use of CBC based ciphersuites through a cache
based side-channel
James
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to James Cowgill <jcowgill@debian.org>:
You have taken responsibility.
(Sat, 28 Jul 2018 14:57:07 GMT) (full text, mbox, link).
Notification sent
to James Cowgill <jcowgill@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Jul 2018 14:57:07 GMT) (full text, mbox, link).
Message #10 received at 904821-close@bugs.debian.org (full text, mbox, reply):
Source: mbedtls
Source-Version: 2.12.0-1
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Jul 2018 21:38:20 +0800
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto1 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.12.0-1
Distribution: unstable
Urgency: medium
Maintainer: James Cowgill <jcowgill@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
libmbedcrypto1 - lightweight crypto and SSL/TLS library - crypto library
libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library
Closes: 904821
Changes:
mbedtls (2.12.0-1) unstable; urgency=medium
.
* New upstream release.
- Fixes CVE-2018-0497 and CVE-2018-0498. (Closes: #904821)
.
* debian/control: Bump standards version to 4.1.5.
* debian/patches: Refresh patches.
* debian/libmbedcrypto1.symbols:
- Add new symbols.
- Remove the internal mbedtls_threading_gmtime_mutex symbol.
Checksums-Sha1:
1c3b6d8e6ff77ba9bdd73e137f1b980e4b41e3c3 2199 mbedtls_2.12.0-1.dsc
84a22632322326d71f9ba2769b2f13edf1f90620 2390563 mbedtls_2.12.0.orig.tar.gz
e1213195bfa801124101f4c2f1f00fb7a292cce8 12516 mbedtls_2.12.0-1.debian.tar.xz
b7e07acda8a54bc0bc919cb9c01ad10dbc168888 6956 mbedtls_2.12.0-1_source.buildinfo
Checksums-Sha256:
99319875a3a95cd322307dbcb0fdc9b67d77e4bb81a9e40e262a711f982ab848 2199 mbedtls_2.12.0-1.dsc
a2bed048f41a19ec7b4dd2e96649145bbd68a6955c3b51aeb7ccbf8908c3ce97 2390563 mbedtls_2.12.0.orig.tar.gz
54f58e7ef8502603504df19207f6624ea89d19531266be1ae3de872e64649929 12516 mbedtls_2.12.0-1.debian.tar.xz
f45fcc76a4cba559811d992dce013b14c11a3f6f5579fb2c39a81c8c9144cda7 6956 mbedtls_2.12.0-1_source.buildinfo
Files:
2eeac75e1c3f8dbaccee14ad30a37e81 2199 libs optional mbedtls_2.12.0-1.dsc
90b55ca8c726f6612de8a31a2a090e94 2390563 libs optional mbedtls_2.12.0.orig.tar.gz
c4f9b83eb5bc791990c7d33a4adc9e8f 12516 libs optional mbedtls_2.12.0-1.debian.tar.xz
2055141957a33db912d229fb14867836 6956 libs optional mbedtls_2.12.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAltcc7AUHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe8C5RAAg0s+z/txcMFfTn8F4zU4HbENgWAe
dNEtotAV5t7Aas4aCJQXlhO/JfUqFCA+cZi78HhLE2RpShO7gwLTD5Y8C3w5qIde
W/kdWbvlJ2N/USsut7bxQ+IF0jgDVgcKDGxZapiOgS7z58wPCd34DrCbW6ppD5EP
QpRAY/jrFRd0/eOlXM8SDvHs+qMO3gF7WUCAJG0SsqsoA8mC39wNMNw8dPnOz5eG
JvWZmgddIkR1uXHxUYJNpnAspR0g7Sbl460wfG0fi3WF0VWdud+XLFlRXcGy+bTG
5bNFCWC2uxzQhKP7oaJrORy8GK7F/g4goMGWZqXRKFqfhxv7gObRbThP82JnNjzx
PhnfJ9a4VhvVxs7TSAtLefrSA5dnbB8yg3pHQTrS54VqFtFWIH/xFDkLIoqjZK8a
CMORTwicOFy1Y9k8A9pCUnQ0JhAnvom5tG0+z0hfNSy2ne6ZdqD6fY1wn4L2inHJ
QbjcYFOvtIkbFqn27wNxTPI0cV20hE2WibbyKNlyyxpK6IV+/wXLIouIuTcWVwpA
Xx5S8k3Gxfvwyj0sLmuGIYKJ6Ixw3bDdOaSU3Teyn/bkD7OQaFGGVPGBLQx3U/Ah
yJsACjugG62CxvS3GJosFScoiCxSrEOk4RAfFT4CWwg+GY02MK3KnjeBhd1ssrng
+xHnpJ6f6+Cj9dg=
=+yqn
-----END PGP SIGNATURE-----
Reply sent
to James Cowgill <jcowgill@debian.org>:
You have taken responsibility.
(Tue, 02 Oct 2018 06:09:06 GMT) (full text, mbox, link).
Notification sent
to James Cowgill <jcowgill@debian.org>:
Bug acknowledged by developer.
(Tue, 02 Oct 2018 06:09:06 GMT) (full text, mbox, link).
Message #15 received at 904821-close@bugs.debian.org (full text, mbox, reply):
Source: mbedtls
Source-Version: 2.4.2-1+deb9u3
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Sep 2018 17:02:04 +0100
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.4.2-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: James Cowgill <jcowgill@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate library
Closes: 904821
Changes:
mbedtls (2.4.2-1+deb9u3) stretch-security; urgency=high
.
* Fix CVE-2018-0497:
Remote plaintext recovery on use of CBC based ciphersuites through a
timing side-channel. (Closes: #904821)
* Fix CVE-2018-0498:
Plaintext recovery on use of CBC based ciphersuites through a cache
based side-channel.
Checksums-Sha1:
d0705399d14dbdbf1488afa9c84789004106a7c5 2248 mbedtls_2.4.2-1+deb9u3.dsc
411df5eb37ccf2bcfe2b1307aa230db268ab7672 22532 mbedtls_2.4.2-1+deb9u3.debian.tar.xz
946db2dec95beb9a18cf636e2691230e13f0e3ca 6445 mbedtls_2.4.2-1+deb9u3_source.buildinfo
Checksums-Sha256:
f4ae68e62a946e1109ef1cf1053a3407e4287bf911ae80911eb1edc03de69f17 2248 mbedtls_2.4.2-1+deb9u3.dsc
3fb2f86d4105acf75426b1ef42372e3b3018245ac32707be160b9c482857c646 22532 mbedtls_2.4.2-1+deb9u3.debian.tar.xz
2b094de754cfc61d859e6a054027514c442136103fd8fba5b6a3926aa7176d1e 6445 mbedtls_2.4.2-1+deb9u3_source.buildinfo
Files:
00f721aa1184ae9d5a2e01236baaa8f9 2248 libs optional mbedtls_2.4.2-1+deb9u3.dsc
b396c58921b5459ac77710feb62e2fcc 22532 libs optional mbedtls_2.4.2-1+deb9u3.debian.tar.xz
b821ebf69287ab9bcc43c514b694f886 6445 libs optional mbedtls_2.4.2-1+deb9u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlua254UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe9T7g/6A7HE/0KbDMiZWni2MFw0eWuygp95
IiH/+CW0RbZ7iqNCcxTosevx6DpKDt5A6Rbp1FY6mfG/C8WsQ2i6fjSNMRkBIv7G
yVsEowXyQGQrLygs6bqPQbewW731oiFrLgLd7a6fSzX1npnzwUPo29D9Ok95yC5R
zBdRr9JOxgw3QST5brCQragfvVm5Ve2B9/v6o9678AlyaIBa6U2+1/X8IRiVxAJL
A5/YwhAA7x8HE7FHPO0dp929+Xjd5okg5LuoshGLXkqUqIMGm6VRjoefESz6sbhX
aKhVwYmwJdtHSYvyQQN4TstPI0JZW4CN3ocWn9GjrXtHlPsFqFN59fk6ipKlTrpA
giIS3AJVk4j5Ng7fL8jCNyjzm69oL/Rwzkp2Smy6oojp0BFgIUQC2woa0pPgGJ+d
XS07AE62XmrFemTUGBzSLOa9eWXJ4Fv2LzjdSr63Zv8cAhWrHWevLhuTi8ihRRg6
PZ5CK45VSMXh41N0vr5msesf/Ix8TJOFZGZVF4NDtCS1NEM8wvw+2OR1pZKzcqcR
Jw2kRQTrCkrO3/qfEntWp5llAIsWr1eyq2WhgRYNvtZZN8DxmhK2GGhmwpmv52iU
9jE7TlB1+oe2xg/HJLfgvXzlmH4VWUd9obUdGtTYsyCsj2GG0vURwUssfaUCVwQ/
q2+khpSrsWgyta0=
=X8wR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Nov 2018 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon