Bug#1060858: marked as done (openssl: CVE-2023-6237: Checking excessively long invalid RSA public keys may take a long time)

Debian Bug Tracking System Sat, 03 Feb 2024 09:24:18 -0800

Your message dated Sat, 03 Feb 2024 17:20:03 +0000
with message-id <[email protected]>
and subject line Bug#1060858: fixed in openssl 3.1.5-1
has caused the Debian Bug report #1060858,
regarding openssl: CVE-2023-6237: Checking excessively long invalid RSA public 
keys may take a long time
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1060858: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: openssl
Version: 3.1.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.0.11-1~deb12u2

Hi,

The following vulnerability was published for openssl.

CVE-2023-6237[0]:
| Checking excessively long invalid RSA public keys may take a long
| time


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-6237
    https://www.cve.org/CVERecord?id=CVE-2023-6237
[1] https://www.openssl.org/news/secadv/20240115.txt

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: openssl
Source-Version: 3.1.5-1
Done: Sebastian Andrzej Siewior <[email protected]>

We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated 
openssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 03 Feb 2024 17:11:24 +0100
Source: openssl
Architecture: source
Version: 3.1.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1060347 1060858 1061582
Changes:
 openssl (3.1.5-1) unstable; urgency=medium
 .
   * Import 3.1.5
     - CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
     - CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
       (Closes: #1060858).
     - CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
       PowerPC) (Closes: #1060347).
Checksums-Sha1:
 66815286f6607261eda487b4e20b3f2999d9c736 2451 openssl_3.1.5-1.dsc
 bae9e00477fb036e28f1c2e9a837fb6992823c57 15663524 openssl_3.1.5.orig.tar.gz
 0d18a545508336877e72fa4ab17822f3aafd5f42 833 openssl_3.1.5.orig.tar.gz.asc
 dce9ec1bd9e8af63ca67a9badf608d0ba0fe397c 69824 openssl_3.1.5-1.debian.tar.xz
Checksums-Sha256:
 57b8018f770cfa4d68efb6ba1be0d8849a722de329425e2f37e2eba68b947f34 2451 
openssl_3.1.5-1.dsc
 6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262 15663524 
openssl_3.1.5.orig.tar.gz
 817a9db4196f2aa7dcb2d0775afaf83ec0eb372c865664c157345a4b0d3bc85b 833 
openssl_3.1.5.orig.tar.gz.asc
 2583bb40965003bcb7f922e80956e7a8a62c98b40e7586f6c34742c8de3c91fa 69824 
openssl_3.1.5-1.debian.tar.xz
Files:
 79c7a2d29e3e9c5ee5798c0dc01c4dc0 2451 utils optional openssl_3.1.5-1.dsc
 567235bf15ad72fcb9555e3b1c8ee4bc 15663524 utils optional 
openssl_3.1.5.orig.tar.gz
 c4876eb67699bc6e374388f1b6314d97 833 utils optional 
openssl_3.1.5.orig.tar.gz.asc
 e960fdf8395c157337b78684f7491758 69824 utils optional 
openssl_3.1.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmW+cUEACgkQBWQfF1cS
+lup1QwAlJWjJbznBIwUc8wgKUcSdv/aH82D/RA+Md9CxL/Km0RabsCIR09nSTRA
Z7kxYYKVr/4RZc77CjwVGCeeGrGpMTaD/EZ1aCsqcIRiKCmF4UZsL0b1PpOyGatF
IkpdZ/Fqe4LNqPWMSW43yksTxdZT5aU5t3yzG2fH9chlxk+ym5quVWAAxvu8tOVC
N0lWhiA6qQC6I3/tXti8hwg85XdRUwMXwqBuB+FLXqncq9pjNc/hcaI2YcFHVAhl
xO/qqmdgY6OCdRse/zdYOj68w8uiYBOMsUm+J+F5d1REW42i8g8oQ/8P5pKnFnrd
Sk+qK08uvq/1J5eShEX/1lRtqADQrw4BbHNMYynyVRfMAqnxxrltgDVZb+3jw8IF
D5NenBigwQEbeeag8UfL5XDs5v3gVvSL3O+yc1LoNx6xoX9ZhNLbEebKd29xqM0x
sXQgSvlm0+8AlfLnTXAcj+y8LV8sTSDMu692W71CKA5jZqlYAzQAKJm5fMvcNYpK
E0Y9H6On
=OF/Z
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1060858: marked as done (openssl: CVE-2023-6237: Checking excessively long invalid RSA public keys may take a long time)

Reply via email to