Bug#699889: marked as done (several issues in Security Advisory 5 Feb 2013)

Wed, 27 Feb 2013 00:15:15 -0800 

Your message dated Wed, 27 Feb 2013 09:12:18 +0100
with message-id <20130227081218.ga28...@roeckx.be>
and subject line Re: [Pkg-openssl-devel] Bug#699889: several issues in Security 
Advisory 5 Feb 2013
has caused the Debian Bug report #699889,
regarding several issues in Security Advisory 5 Feb 2013
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
699889: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699889
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: openssl
Severity: serious
Tags: security

Hi,

Several issues were announced in the OpenSSL security advisory of 05 Feb 2013 
(http://www.openssl.org/news/secadv_20130205.txt):

 SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
 TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686) (does not affect stable)
 OCSP invalid key DoS issue (CVE-2013-0166)

Can you see to it that these are addressed in unstable and testing, and also 
prepare an update to stable-security?


Thanks,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 0.9.8o-4squeeze14

On Wed, Feb 27, 2013 at 05:09:43AM +0400, Bob Bib wrote:
> Hi Kurt,
> 
> > I've uploaded 0.9.8o-4squeeze14 to squeeze-security
> 
> openssl/1.0.1e-1 changelog states the following:
> * New upstream version (Closes: #699889)
>      - Fixes CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
> 
> Meanwhile, openssl/0.9.8o-4squeeze14 changelog consist of the following line:
> * Fix CVE-2013-0166 and CVE-2013-0169
> 
> Thus, I have 2 questions:
> 1) is CVE-2012-2686 also fixed in openssl/0.9.8o-4squeeze14?

CVE-2012-2686 does not affect the 0.9.8 branch, or 1.0.0 branch.
The AES-NI support is new in 1.0.1.

> 2) should bug#699889 be marked as fixed in openssl/0.9.8o-4squeeze14?

Yes, doing so now.


Kurt

--- End Message ---

Reply via email to