Your message dated Fri, 07 Dec 2018 10:49:16 +0000
with message-id <[email protected]>
and subject line Bug#915796: fixed in mbedtls 2.14.1-1
has caused the Debian Bug report #915796,
regarding mbedtls: CVE-2018-19608: Local timing attack on RSA decryption
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
915796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915796
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mbedtls
Version: 2.13.0-3
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for mbedtls.
CVE-2018-19608[0]:
| Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a
| local unprivileged attacker to recover the plaintext of RSA
| decryption, which is used in RSA-without-(EC)DH(E) cipher suites.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19608
[1]
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
[2]
https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mbedtls
Source-Version: 2.14.1-1
We believe that the bug you reported is fixed in the latest version of
mbedtls, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Cowgill <[email protected]> (supplier of updated mbedtls package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Dec 2018 10:24:44 +0000
Source: mbedtls
Binary: libmbedtls-dev libmbedcrypto3 libmbedtls12 libmbedx509-0 libmbedtls-doc
Architecture: source
Version: 2.14.1-1
Distribution: unstable
Urgency: high
Maintainer: James Cowgill <[email protected]>
Changed-By: James Cowgill <[email protected]>
Description:
libmbedcrypto3 - lightweight crypto and SSL/TLS library - crypto library
libmbedtls-dev - lightweight crypto and SSL/TLS library - development files
libmbedtls-doc - lightweight crypto and SSL/TLS library - documentation
libmbedtls12 - lightweight crypto and SSL/TLS library - tls library
libmbedx509-0 - lightweight crypto and SSL/TLS library - x509 certificate
library
Closes: 915796
Changes:
mbedtls (2.14.1-1) unstable; urgency=high
.
* New upstream release.
- Fixes CVE-2018-19608 - Local timing attack on RSA decryption.
(Closes: #915796)
.
* d/libmbedcrypto3.symbols, d/libmbedx509-0.symbols:
- Add new symbols found in 2.14.1.
Checksums-Sha1:
33376cf2a00e2acd66bf05cd6f8d546607ea0af4 2341 mbedtls_2.14.1-1.dsc
7a5111221feead2e38a9a157893176fc817cf02e 1798696 mbedtls_2.14.1.orig.tar.xz
60ebec5f07bc5e652ce0ca658a31f46813fe6553 12512 mbedtls_2.14.1-1.debian.tar.xz
Checksums-Sha256:
f9f23d797afcad767503f945dde52a879a6e4e7088c2b2ede214d5594b0694a6 2341
mbedtls_2.14.1-1.dsc
81e6ac294b18d3b2e4c7d5d8b243e5202766ce0c8843ee3f593401dd5e9078dc 1798696
mbedtls_2.14.1.orig.tar.xz
3c4fd02a9867b488514aafe0699fd9cdb0f8aea7a866d536958daff3f029a1ab 12512
mbedtls_2.14.1-1.debian.tar.xz
Files:
25709b6054c60b5f7b0dd7495a9e2a3b 2341 libs optional mbedtls_2.14.1-1.dsc
fe995ad58793968fda5c96982320aedc 1798696 libs optional
mbedtls_2.14.1.orig.tar.xz
9cae086e82f93350efcbee47c1280d8f 12512 libs optional
mbedtls_2.14.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE+Ixt5DaZ6POztUwQx/FnbeotAe8FAlwKTI4UHGpjb3dnaWxs
QGRlYmlhbi5vcmcACgkQx/FnbeotAe90vRAArHQGvLV2srmcFgk/z1v600NyLskm
3jGtusG9SutdDX+EO/o9pNjWnDZstvyD2EudrOmNwQAQ5Nn1npcGWAi2VKAOZlb2
pYe5VcE26YqGBLynJD6b6rf6cfaLar0kfoffYt58T1SXgeMPSmt+UVfKNU322DiY
q0Z7rP3Vygq7dCVrke+QkzJOPBbYDgUc9bmQgvuMPM+5z/sVw+9u9+jRIzfo9aNG
OaT9g6s1j0CyyNr2ELY3H1o2uA9mpVlyoO3DEHy+iVQV/RAywaprkvLf+ldQ29K1
xdJcpqWRLnYK5v6ARYPRHY0hmdCqJv/cMAt3/VobDcAu/AHtJ6lhoXsVyEzFQWhz
sozqt3qr5ny1EdvpnWgxJzHKb9tyLshBVLV6NGeoA5RV0cH+GibuLuT4Sn4iGY0W
xSDdARFtxiufwapvZ25b13GNKJM7rZiOcU6JXXZnLNhM3pM6mLMCQ+p+IIqK/6zs
EXNlT5ekV/+Ne87VOXA+HTATH4px99vAsck7PXhz2QzUby8+nQIDl9hDTcBArizt
LxgZhctvGUt/ArErHqcly6SMx0dk0tqVfUz7kPfenQ7ZwoTfKJVkWES0qEcWoEi0
kDg8HDsTDOe1chPsqCf/tvedIbURTs1/ZWG0QCx6GE9t7t/4gCYVLP0iAmATf2nZ
ZmVlHTpOqAiWb5U=
=hocY
-----END PGP SIGNATURE-----
--- End Message ---
