Your message dated Sun, 26 Jun 2022 20:10:08 +0000
with message-id <e1o5ya8-0001pg...@fasolo.debian.org>
and subject line Bug#1012512: fixed in libengine-gost-openssl 3.0.1-1
has caused the Debian Bug report #1012512,
regarding libengine-gost-openssl1.1: CVE-2022-29242
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1012512: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012512
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libengine-gost-openssl1.1
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for libengine-gost-openssl1.1.
CVE-2022-29242[0]:
| GOST engine is a reference implementation of the Russian GOST crypto
| algorithms for OpenSSL. TLS clients using GOST engine when ciphersuite
| `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC` is agreed and the
| server uses 512 bit GOST secret keys are vulnerable to buffer
| overflow. GOST engine version 3.0.1 contains a patch for this issue.
| Disabling ciphersuite `TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC`
| is a possible workaround.
https://github.com/gost-engine/engine/security/advisories/GHSA-2rmw-8wpg-vgw5
Patches:
https://github.com/gost-engine/engine/commit/7df766124f87768b43b9e8947c5a01e17545772c
(v3.0.1)
https://github.com/gost-engine/engine/commit/b2b4d629f100eaee9f5942a106b1ccefe85b8808
(v3.0.1)
https://github.com/gost-engine/engine/commit/c6655a0b620a3e31f085cc906f8073fe81b2fad3
(v3.0.1)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29242
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29242
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libengine-gost-openssl
Source-Version: 3.0.1-1
Done: Wartan Hachaturow <w...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libengine-gost-openssl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Wartan Hachaturow <w...@debian.org> (supplier of updated libengine-gost-openssl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Jun 2022 00:38:39 +0300
Source: libengine-gost-openssl
Binary: gostsum gostsum-dbgsym libengine-gost-openssl
libengine-gost-openssl-dbgsym libengine-gost-openssl1.1
Architecture: source amd64
Version: 3.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Wartan Hachaturow <w...@debian.org>
Changed-By: Wartan Hachaturow <w...@debian.org>
Description:
gostsum - Utility to compute GOST hashes
libengine-gost-openssl - Loadable module for openssl implementing GOST
algorithms
libengine-gost-openssl1.1 - dummy package for upgrades from
libengine-gost-openssl1.1
Closes: 1012512
Changes:
libengine-gost-openssl (3.0.1-1) unstable; urgency=medium
.
* Wohoo-my-gpg-key-works-again release
* Upgrade to OpenSSL 3.0 engine branch, rename package
* Fix for CVE-2022-29242 (Closes: #1012512)
* Deprecate 1.1 package version.
* Update debian/copyright
Checksums-Sha1:
e56fe8784cb72666f2ce829dc11df2d5d33beabb 2075
libengine-gost-openssl_3.0.1-1.dsc
8aaf914b693363d94efdacdb3bc077f3c968da3b 1650888
libengine-gost-openssl_3.0.1.orig.tar.gz
3cfdda4c3ccac0ae0654ee076800a53c48605533 5656
libengine-gost-openssl_3.0.1-1.debian.tar.xz
b8dc5c74675941fffd54c4779e3656a587dbe7a1 66112 gostsum-dbgsym_3.0.1-1_amd64.deb
57fb8ce524578ec93c56176ec1a07077150e9545 37664 gostsum_3.0.1-1_amd64.deb
fedffea14dffcd4053f8d4c8806c35c288163293 1444400
libengine-gost-openssl-dbgsym_3.0.1-1_amd64.deb
cb8d9b333bef4e8c38e5658cf88a4afc72cfb796 5152
libengine-gost-openssl1.1_3.0.1-1_amd64.deb
4f961e56e6b9c346c1b7d1d9725d31fe47fc57f0 7982
libengine-gost-openssl_3.0.1-1_amd64.buildinfo
7fb99d5b61a92de9976d5e5b2fda248853d8a08d 505588
libengine-gost-openssl_3.0.1-1_amd64.deb
Checksums-Sha256:
05ba8fd8aa2bd87310672714310e8fc95560c06875d7d20ae5c6ccaec2254350 2075
libengine-gost-openssl_3.0.1-1.dsc
54e103dc4a764d4f2d91632c0d93f216a8ef8671fe2609c9e8da21f2931be462 1650888
libengine-gost-openssl_3.0.1.orig.tar.gz
7a7072c545a66ecaf5853a0363b196117ae6827868976d71a45c43f89b587f15 5656
libengine-gost-openssl_3.0.1-1.debian.tar.xz
4d677d820a46ca5f17b8936e7a5d51eeb687ce100c544fdfef894d8f68950c80 66112
gostsum-dbgsym_3.0.1-1_amd64.deb
ce4130e1ef7f128bf4862df5d1740d352373dce42799fb71dfa14020e2dd9b82 37664
gostsum_3.0.1-1_amd64.deb
2901e21bde747d2bac16faf5f81106872af3a04a2eae48d721e697c148a1260b 1444400
libengine-gost-openssl-dbgsym_3.0.1-1_amd64.deb
f15f1633ca21b2a014f0129c7332da1ada76e6004b9e0cd768ac4b619c640db7 5152
libengine-gost-openssl1.1_3.0.1-1_amd64.deb
aacfc46f2b0193cc975975ce9a6eb6aca94832c81551b39a804a347c95233ecf 7982
libengine-gost-openssl_3.0.1-1_amd64.buildinfo
f48f804e520847756b4feec8bae9209e9c29ec71a24e8fd9ca1a9f3af9d09325 505588
libengine-gost-openssl_3.0.1-1_amd64.deb
Files:
eb7c9b7f8510f0130bb1d9d63ec133d8 2075 libs optional
libengine-gost-openssl_3.0.1-1.dsc
e367eb1c118e599e55d7bf441c9b7596 1650888 libs optional
libengine-gost-openssl_3.0.1.orig.tar.gz
8e0f381ba249b15a63662b253c8f7cfc 5656 libs optional
libengine-gost-openssl_3.0.1-1.debian.tar.xz
c5b0827edcada400bde8f351fdc88ed4 66112 debug optional
gostsum-dbgsym_3.0.1-1_amd64.deb
f9afdc075105e202dfb0dfd8556f422c 37664 utils optional gostsum_3.0.1-1_amd64.deb
2ea9c205acbcf33ce6886e709f0fad98 1444400 debug optional
libengine-gost-openssl-dbgsym_3.0.1-1_amd64.deb
c09adf0d796a47b42576ea4e0e50a38f 5152 oldlibs optional
libengine-gost-openssl1.1_3.0.1-1_amd64.deb
027ce07c364c82e12ee2d218f499f122 7982 libs optional
libengine-gost-openssl_3.0.1-1_amd64.buildinfo
bdc6728f29dcc805affc780b53b9120b 505588 libs optional
libengine-gost-openssl_3.0.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEajnkcbgq6WwIXs+/dh38ZlWd9w4FAmK4dSoQHHdhcnRAZGVi
aWFuLm9yZwAKCRB2HfxmVZ33DsBLD/4iVd6K5oGnSZU+SXGkQ+j5wNkqgXw6Kpyn
WXJLKFOM6N173XS7vWzmPhLDhiOCqX/85yJuuAfx3qwyFoCkwXLYQS83o5/o17HF
6bQUrdZBkQ7s06yzRybi87j63cbC1nClKPt12NRBFXMtzwaVoRnmXofQ9+O7HTW+
yGpUwuPHrZw44SmO+zASCHqhA6M1eL1UfnI6JgUDroRpjKwrMEpu3ddhwj6TTb7i
g8tvZDPwM4PcAGs/NMYHU23f9mEp/NdH72iu9cSBvsuA/JCSbnFj2HXVDGK72t+K
Rt1bgeXAJvF7CPviXQiVUuU2KJH1e+btiUkc0VYEAHyReD7BkmdbOhSVsr4uZyAO
DHkUiKsnT2yfPvkPc7nTDUWS5WdH0DpSuKfM2tVQmFeKcwSoaGsZoe1zvEbluLOX
tbZmX1W30qqM0yY8Fchr0RxlZU1CwtFxpGAkDNnsAsLYxdBf8yZfPzKb/vggmb8z
RQdXlxPM8cjw9Fo/3M3ClXBECP/Oxs8nPeQ4ZNNd+y6fGH2hDdsJQWUKkHkLVbIu
YTPuNkiYREKLz2FRYaewEjEtIpDsJg4Io6C4XIQ6wM2xT61itq9tvGuE6l7TDUl2
qZ3VI8yLbmn4oZCLeiekYimnmY9FYQ/UhMXqxWb6tn3qAjVc1BEyMG6kUw+lxlub
CZNMn0Krfg==
=pU7Z
-----END PGP SIGNATURE-----
--- End Message ---