[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Revert "Update status for CVE-2017-3737, thanks Q_"

Wed, 28 Mar 2018 12:38:02 -0700 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f5e25880 by Salvatore Bonaccorso at 2018-03-28T21:36:45+02:00
Revert "Update status for CVE-2017-3737, thanks Q_"

This reverts commit 1ed0c93154024f687c6d2531190c129a4925763c.

1.0.2b introduced a hardening mechanism designed to protect against bugs
in application code. This CVE applies to the hardening mechanism being
incomplete. OpenSSL versions older than 1.0.2b don't have the hardening
mechanism at all.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -65376,15 +65376,13 @@ CVE-2017-3738 (There is an overflow bug in the AVX2 
Montgomery multiplication ..
 CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an 
"error ...)
        {DSA-4065-1}
        - openssl 1.1.0b-2
-       [jessie] - openssl <postponed> (Can be fixed with next OpenSSL advisory 
round)
-       [wheezy] - openssl <postponed> (Can be fixed with next OpenSSL advisory 
round)
+       [jessie] - openssl <not-affected> (Issue introduced in 1.0.2b)
+       [wheezy] - openssl <not-affected> (Issue introduced in 1.0.2b)
        - openssl1.0 1.0.2n-1
        NOTE: Not fully correct tracking, the issue just does not affect 
OpenSSL 1.1.0
        NOTE: thus mark as fixed in the first 1.1.0 version which entered 
unstable.
        NOTE: https://www.openssl.org/news/secadv/20171207.txt
        NOTE: OpenSSL_1_0_2-stable: 
https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc
-       NOTE: From the maintainer: Versions before 1.0.2b always had the 
problem, in 1.0.2b
-       NOTE: it was attempted to get this fixed but the fix was incomplete.
 CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery 
squaring ...)
        {DSA-4017-1}
        - openssl 1.1.0g-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to