Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: f5e25880 by Salvatore Bonaccorso at 2018-03-28T21:36:45+02:00 Revert "Update status for CVE-2017-3737, thanks Q_" This reverts commit 1ed0c93154024f687c6d2531190c129a4925763c. 1.0.2b introduced a hardening mechanism designed to protect against bugs in application code. This CVE applies to the hardening mechanism being incomplete. OpenSSL versions older than 1.0.2b don't have the hardening mechanism at all. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -65376,15 +65376,13 @@ CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication .. CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error ...) {DSA-4065-1} - openssl 1.1.0b-2 - [jessie] - openssl <postponed> (Can be fixed with next OpenSSL advisory round) - [wheezy] - openssl <postponed> (Can be fixed with next OpenSSL advisory round) + [jessie] - openssl <not-affected> (Issue introduced in 1.0.2b) + [wheezy] - openssl <not-affected> (Issue introduced in 1.0.2b) - openssl1.0 1.0.2n-1 NOTE: Not fully correct tracking, the issue just does not affect OpenSSL 1.1.0 NOTE: thus mark as fixed in the first 1.1.0 version which entered unstable. NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc - NOTE: From the maintainer: Versions before 1.0.2b always had the problem, in 1.0.2b - NOTE: it was attempted to get this fixed but the fix was incomplete. CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery squaring ...) {DSA-4017-1} - openssl 1.1.0g-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits