Your message dated Sat, 03 Feb 2024 17:20:40 +0000
with message-id <[email protected]>
and subject line Bug#1060858: fixed in openssl 3.2.1-1
has caused the Debian Bug report #1060858,
regarding openssl: CVE-2023-6237: Checking excessively long invalid RSA public
keys may take a long time
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1060858: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: openssl
Version: 3.1.4-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 3.0.11-1~deb12u2
Hi,
The following vulnerability was published for openssl.
CVE-2023-6237[0]:
| Checking excessively long invalid RSA public keys may take a long
| time
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-6237
https://www.cve.org/CVERecord?id=CVE-2023-6237
[1] https://www.openssl.org/news/secadv/20240115.txt
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openssl
Source-Version: 3.2.1-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated
openssl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 03 Feb 2024 17:23:00 +0100
Source: openssl
Architecture: source
Version: 3.2.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian OpenSSL Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1060347 1060858 1061582
Changes:
openssl (3.2.1-1) experimental; urgency=medium
.
* Import 3.2.1
- CVE-2024-0727 (PKCS12 Decoding crashes). (Closes: #1061582).
- CVE-2023-6237 (Excessive time spent checking invalid RSA public keys)
(Closes: #1060858).
- CVE-2023-6129 (POLY1305 MAC implementation corrupts vector registers on
PowerPC) (Closes: #1060347).
Checksums-Sha1:
9c01be6f17b9d117f9692cf1bc7b7aff842404d7 2479 openssl_3.2.1-1.dsc
9668723d65d21a9d13e985203ce8c27ac5ecf3ae 17733249 openssl_3.2.1.orig.tar.gz
8b9dce0adc7650a309b0096f7e45dbfb53d543fe 833 openssl_3.2.1.orig.tar.gz.asc
0b817f0da477560033c3a9039c618b734fb0a7c5 66384 openssl_3.2.1-1.debian.tar.xz
Checksums-Sha256:
ce953fde497eade012a27af290bf78529435f64e8a15a9925fa98563dda5a42a 2479
openssl_3.2.1-1.dsc
83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39 17733249
openssl_3.2.1.orig.tar.gz
a394b4f5242feb8b828b398cbea809e07bb73e699ae0b84413efb8c5916361c1 833
openssl_3.2.1.orig.tar.gz.asc
dd9f6961113b34d835f4ca6e2ae8efdd9fd2c221081426b9df5e8b428ab8b7fc 66384
openssl_3.2.1-1.debian.tar.xz
Files:
eb99c92168f433842c349fa577e9ebcc 2479 utils optional openssl_3.2.1-1.dsc
c239213887804ba00654884918b37441 17733249 utils optional
openssl_3.2.1.orig.tar.gz
a3d1585772f9bde6d87e38d7475d2729 833 utils optional
openssl_3.2.1.orig.tar.gz.asc
b841348d4cb1a2b37a29321b6a38870d 66384 utils optional
openssl_3.2.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmW+cT4ACgkQBWQfF1cS
+luFcAwAspYMF0lSCXGGs7sGhkLs9/S2VIiuKApADPHdLk0rF7vmWryh2Mn/84pc
i7tJei66/1r8NfStTHCugH+1e8X1DCAKzzjex/6poLglQmVj8f7zcwsgUQhv/5j1
npJNVGTkXm2pln6UrsqPGpa5J09b3/2hD4ipLUL9DaWPgTI2V4q85oIozwjwwcRI
AOWDeYSXs8mZAFoq3oUC7omJU8g4t8Q+jwq0JG+DwBSd7AGH25uL6ivYARx0SeHo
oN2g8AngeRKbxx9gEsRL37WHtkPRFL9v+tGtinEKVJ55nra45Hq5rF2MoZ+PwkST
da++dD/vTxouZxNtYOG5dT8pNrFDsJ9xrJaqNhCTlQLx24QlkDcCYWGzjvrX6FJH
Gni21tWnptIGNYbgmJu/wNyyvpPvtUcPlVXsWjJkFHF33uadIl/ssXSJ9dnxNjnD
5XBwp8Xp7QZu82vhZ1wm96Kpj4ugvun2kR7PsBCkO1NbimEBZxqAomQU7ctY7G+s
6OrEuluB
=VYFw
-----END PGP SIGNATURE-----
--- End Message ---
