Your message dated Mon, 09 Oct 2017 11:48:44 +0000
with message-id <[email protected]>
and subject line Bug#877436: fixed in botan1.10 1.10.17-0.1
has caused the Debian Bug report #877436,
regarding botan1.10: CVE-2017-14737: A cryptographic cache-based side channel
in the RSA implementation allows local attacker to recover information about
RSA secret keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
877436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877436
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: botan1.10
Version: 1.10.16-1
Severity: grave
Tags: patch upstream security
Forwarded: https://github.com/randombit/botan/issues/1222
Hi,
the following vulnerability was published for botan1.10.
CVE-2017-14737[0]:
| A cryptographic cache-based side channel in the RSA implementation in
| Botan before 1.10.17, and 1.11.x and 2.x before 2.3.0, allows a local
| attacker to recover information about RSA secret keys, as demonstrated
| by CacheD. This occurs because an array is indexed with bits derived
| from a secret key.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14737
[1] https://github.com/randombit/botan/issues/1222
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: botan1.10
Source-Version: 1.10.17-0.1
We believe that the bug you reported is fixed in the latest version of
botan1.10, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hofstaedtler <[email protected]> (supplier of updated botan1.10 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 09 Oct 2017 09:19:15 +0000
Source: botan1.10
Binary: botan1.10-dbg libbotan-1.10-1 libbotan1.10-dev
Architecture: source
Version: 1.10.17-0.1
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <[email protected]>
Changed-By: Christian Hofstaedtler <[email protected]>
Description:
botan1.10-dbg - multiplatform crypto library (debug)
libbotan-1.10-1 - multiplatform crypto library
libbotan1.10-dev - multiplatform crypto library (development)
Closes: 877436
Changes:
botan1.10 (1.10.17-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release 1.10.17 (Closes: #877436)
+ [CVE-2017-14737]: Side channel affecting modular exponentiation
+ Upstream has imported Debian architecture support patches, removed
them.
Checksums-Sha1:
0e5db86adc98c3b970a38d5c42f95fb3941f190e 2072 botan1.10_1.10.17-0.1.dsc
b36541b441fb116caf068b6157ad7d01d71ecd2e 2706678 botan1.10_1.10.17.orig.tar.gz
570dc6867cec64bf518391b4772675aaa4acc855 39232
botan1.10_1.10.17-0.1.debian.tar.xz
ed63281a6bc5a5dbca0a9779d12e9c186284d73b 6043
botan1.10_1.10.17-0.1_source.buildinfo
Checksums-Sha256:
e3f2946165c929faff2503b12c5e53c6a6b26456cb7b197026517a6c8c7cd4c0 2072
botan1.10_1.10.17-0.1.dsc
6847ffb64b8d2f939dccfecc17bd2c80385d08f7621e2c56d3a335118e823613 2706678
botan1.10_1.10.17.orig.tar.gz
6861f873066b0d809735b1820e05c93427054fe6f42d3f338e5b1bcac9641405 39232
botan1.10_1.10.17-0.1.debian.tar.xz
3df4dde5a1c939c5695cc194089e64f96052de94b46a5ce03491d413a8dc0964 6043
botan1.10_1.10.17-0.1_source.buildinfo
Files:
6305dbbb936095251404257ca05332f8 2072 libs optional botan1.10_1.10.17-0.1.dsc
e5ed5dc70edd238c5a2116670b2cb3f3 2706678 libs optional
botan1.10_1.10.17.orig.tar.gz
8a211f35bea1ffb8696acecaf9f529de 39232 libs optional
botan1.10_1.10.17-0.1.debian.tar.xz
297f2a069ab5ee06c4b12ab5c5ae326d 6043 libs optional
botan1.10_1.10.17-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlnbQsYQHHplaGFAZGVi
aWFuLm9yZwAKCRBcE9bbkwUuA0xpEACjEGS/3Df1XOj9kpjETxoUzZ+IjLmtimE1
9AdnYrP8NQCnEka1c5DFewk64/hCGW4SDPqxvvGwTrX6DRQsKYrcuzZFd+WJWmbl
mjvVvderpQbEOCezV2BL3gKj6cXU8rnT/wzreHBtODAkMX/onqu8YMAOX7HXHE8u
8GoNS7pak0TGozIqtyqBmomZGPWkZ5b5ZtGlrBY5tgYB4uCAZA51CEXlqPjgOTVG
GGbiS0zhgV9lUoLzX4tlgS+Hd6KeSPJspMdvyH9wD1wYrA0L5yCJ+Rj8A3RSKGv7
dn7yKWNv9pOiAHOsD7OOzhF5/0GdNByUJmIyYwJIdutZgL0lIYxUrSGUmH3TAuVl
5lSi8RpUciLUeFcR71xwqI9nzVrSUKzdwh4MAkw2QSkSApPUbFZYH35fqulO3VxO
GvZz8TV4DHmab3C6yq8/eOVm9QLZJDR2Syn6Fgl1rloVyir1F/4KQA/1Snt3mNIs
YO8z6+graHkq/3if7TMfyeGUBtCUxVaUgtzpeH4bIzz5mkWt1bdt8KCytO2g+Qh7
K166wcqtNkjb0smp8NSqqE63FsJkDC6TxwqV91DOB6X4rDAHLSzK4RWqYfaD9XD+
ra22QzAWfc2CvXRVgX0g0DVZZcWxUH+3CcrCcEnYDe4OKyQ0sQIKYkqwub+iK+A2
lYRV/+H1SA==
=uOOn
-----END PGP SIGNATURE-----
--- End Message ---