Your message dated Tue, 02 Oct 2018 06:06:01 +0000
with message-id <[email protected]>
and subject line Bug#904821: fixed in mbedtls 2.4.2-1+deb9u3
has caused the Debian Bug report #904821,
regarding mbedtls: CVE-2018-0497, CVE-2018-0498: Remote plaintext recovery on
use of CBC based ciphersuites through a timing side-channel
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
904821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904821
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 2.1.2-1
Severity: grave
Tags: security upstream
This security advisory was published for mbedTLS. All versions since 1.2
are affected.
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
CVE-2018-0497:
Remote plaintext recovery on use of CBC based ciphersuites through a
timing side-channel
CVE-2018-0498:
Plaintext recovery on use of CBC based ciphersuites through a cache
based side-channel
James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.4.2-1+deb9u3
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Sep 2018 17:02:04 +0100
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.4.2-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: James Cowgill <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
libmbedcrypto0 - lightweight crypto and SSL/TLS library - crypto library
libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
libmbedtls10 - lightweight crypto and SSL/TLS library - tls library
libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate
library
Closes: 904821
Changes:
mbedtls (2.4.2-1+deb9u3) stretch-security; urgency=high
.
* Fix CVE-2018-0497:
Remote plaintext recovery on use of CBC based ciphersuites through a
timing side-channel. (Closes: #904821)
* Fix CVE-2018-0498:
Plaintext recovery on use of CBC based ciphersuites through a cache
based side-channel.
Checksums-Sha1:
d0705399d14dbdbf1488afa9c84789004106a7c5 2248 mbedtls_2.4.2-1+deb9u3.dsc
411df5eb37ccf2bcfe2b1307aa230db268ab7672 22532
mbedtls_2.4.2-1+deb9u3.debian.tar.xz
946db2dec95beb9a18cf636e2691230e13f0e3ca 6445
mbedtls_2.4.2-1+deb9u3_source.buildinfo
Checksums-Sha256:
f4ae68e62a946e1109ef1cf1053a3407e4287bf911ae80911eb1edc03de69f17 2248
mbedtls_2.4.2-1+deb9u3.dsc
3fb2f86d4105acf75426b1ef42372e3b3018245ac32707be160b9c482857c646 22532
mbedtls_2.4.2-1+deb9u3.debian.tar.xz
2b094de754cfc61d859e6a054027514c442136103fd8fba5b6a3926aa7176d1e 6445
mbedtls_2.4.2-1+deb9u3_source.buildinfo
Files:
00f721aa1184ae9d5a2e01236baaa8f9 2248 libs optional mbedtls_2.4.2-1+deb9u3.dsc
b396c58921b5459ac77710feb62e2fcc 22532 libs optional
mbedtls_2.4.2-1+deb9u3.debian.tar.xz
b821ebf69287ab9bcc43c514b694f886 6445 libs optional
mbedtls_2.4.2-1+deb9u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlua254UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe9T7g/6A7HE/0KbDMiZWni2MFw0eWuygp95
IiH/+CW0RbZ7iqNCcxTosevx6DpKDt5A6Rbp1FY6mfG/C8WsQ2i6fjSNMRkBIv7G
yVsEowXyQGQrLygs6bqPQbewW731oiFrLgLd7a6fSzX1npnzwUPo29D9Ok95yC5R
zBdRr9JOxgw3QST5brCQragfvVm5Ve2B9/v6o9678AlyaIBa6U2+1/X8IRiVxAJL
A5/YwhAA7x8HE7FHPO0dp929+Xjd5okg5LuoshGLXkqUqIMGm6VRjoefESz6sbhX
aKhVwYmwJdtHSYvyQQN4TstPI0JZW4CN3ocWn9GjrXtHlPsFqFN59fk6ipKlTrpA
giIS3AJVk4j5Ng7fL8jCNyjzm69oL/Rwzkp2Smy6oojp0BFgIUQC2woa0pPgGJ+d
XS07AE62XmrFemTUGBzSLOa9eWXJ4Fv2LzjdSr63Zv8cAhWrHWevLhuTi8ihRRg6
PZ5CK45VSMXh31N0vr5msesf/Ix8TJOFZGZVF4NDtCS1NEM8wvw+2OR1pZKzcqcR
Jw2kRQTrCkrO3/qfEntWp5llAIsWr1eyq2WhgRYNvtZZN8DxmhK2GGhmwpmv52iU
9jE7TlB1+oe2xg/HJLfgvXzlmH4VWUd9obUdGtTYsyCsj2GG0vURwUssfaUCVwQ/
q2+khpSrsWgyta0=
=X8wR
-----END PGP SIGNATURE-----
--- End Message ---
