Your message dated Wed, 06 Feb 2013 20:47:46 +0000
with message-id <[email protected]>
and subject line Bug#699887: fixed in polarssl 1.2.5-1
has caused the Debian Bug report #699887,
regarding TLS timing attack in polarssl (Lucky 13)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
699887: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: polarssl
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/
The problems are addressed in PolarSSL 1.2.5:
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
The generic protocol issue has been assigned CVE name CVE-2013-0169. The
specific fix in PolarSSL is known as CVE-2013-1621 and CVE-2013-1622. Please
mention these identifiers in the changelog.
Can you see to it that this issue is addressed in unstable and testing? And
are you available to create an update for stable-security?
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: polarssl
Source-Version: 1.2.5-1
We believe that the bug you reported is fixed in the latest version of
polarssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Stigge <[email protected]> (supplier of updated polarssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 06 Feb 2013 21:13:35 +0100
Source: polarssl
Binary: libpolarssl-dev libpolarssl-runtime libpolarssl0
Architecture: source amd64
Version: 1.2.5-1
Distribution: experimental
Urgency: low
Maintainer: Roland Stigge <[email protected]>
Changed-By: Roland Stigge <[email protected]>
Description:
libpolarssl-dev - lightweight crypto and SSL/TLS library
libpolarssl-runtime - lightweight crypto and SSL/TLS library
libpolarssl0 - lightweight crypto and SSL/TLS library
Closes: 699887
Changes:
polarssl (1.2.5-1) experimental; urgency=low
.
* New upstream release (Closes: #699887)
* Fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw
(Including CVE-2013-1621 and CVE-2013-1622)
Checksums-Sha1:
9f78ea10a409e24172a9994b48ff2a96d153626b 1168 polarssl_1.2.5-1.dsc
84a703feaeb00cb5fba74a4aa7168e79128bbb19 980299 polarssl_1.2.5.orig.tar.gz
691db0473550ab4c19647f108b0d32b8cf1e82fc 4623 polarssl_1.2.5-1.debian.tar.gz
bcf795a4dfc9ebaff921bf689a77ef03681f7b36 260672
libpolarssl-dev_1.2.5-1_amd64.deb
8eae07203ac92aaf3952733f743608f6dba162be 2504580
libpolarssl-runtime_1.2.5-1_amd64.deb
776f7dbe104363cf659b32cd20111da6700cec96 176186 libpolarssl0_1.2.5-1_amd64.deb
Checksums-Sha256:
ff471030814f5623f361e57b3746cdd261c1e2590495b9529832789c47b99493 1168
polarssl_1.2.5-1.dsc
ee596851684faef5af124902a27abec0461b2311eee1aa9620d732f9ea4d124a 980299
polarssl_1.2.5.orig.tar.gz
41d65fe137a4d9832f85fa5a538430974ce5e34702aa519c9ef3a8a0f65ed2bf 4623
polarssl_1.2.5-1.debian.tar.gz
840671b8dcf70cc99fdd2e69873211ec3a20a765ab2d599a82cdc4bd024736e1 260672
libpolarssl-dev_1.2.5-1_amd64.deb
7be8270e0d0eaab69bbbe1046c2e470f0112ad60452ffc2ac0de68062a3d0f34 2504580
libpolarssl-runtime_1.2.5-1_amd64.deb
12bb5c8d6f79532768107b5ac536bd56fd7802d6531da91ce0199b5f17da292e 176186
libpolarssl0_1.2.5-1_amd64.deb
Files:
00374f7a876898c2489403c6c775c5ec 1168 libs optional polarssl_1.2.5-1.dsc
f42dd79cd85384ac9ad482caa665ac8f 980299 libs optional
polarssl_1.2.5.orig.tar.gz
46d5b4c733993e7365e202f3538472a6 4623 libs optional
polarssl_1.2.5-1.debian.tar.gz
3c89d7b0b857088e8b3a05fd91304458 260672 libdevel optional
libpolarssl-dev_1.2.5-1_amd64.deb
b6520d98316674c5ad9f930ad564da9b 2504580 libdevel optional
libpolarssl-runtime_1.2.5-1_amd64.deb
d043c57efdfe7e5603bb4f0fea83b576 176186 libs optional
libpolarssl0_1.2.5-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFREr0pcaH/YBv43g8RAmr/AJ9Skt8Y2RgjiG4V0OXWrHAq6AlFQQCfTfmC
AeIf/xxa+O5fgadSVE6SqgA=
=FuZ8
-----END PGP SIGNATURE-----
--- End Message ---
