Source: rust-openssl Version: 0.10.64-1 Severity: important Tags: security upstream Forwarded: https://github.com/sfackler/rust-openssl/issues/2171 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for rust-openssl. CVE-2024-3296[0]: | A timing-based side-channel exists in the rust-openssl package, | which could be sufficient to recover a plaintext across a network in | a Bleichenbacher-style attack. To achieve successful decryption, an | attacker would have to be able to send a large number of trial | messages for decryption. The vulnerability affects the legacy | PKCS#1v1.5 RSA encryption padding mode. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3296 https://www.cve.org/CVERecord?id=CVE-2024-3296 [1] https://github.com/sfackler/rust-openssl/issues/2171 Please adjust the affected versions in the BTS as needed. Regards, Salvatore