[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Revert "Update status for CVE-2017-3737, thanks Q_"

Salvatore Bonaccorso carnil at debian.org
Wed Mar 28 19:37:22 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f5e25880 by Salvatore Bonaccorso at 2018-03-28T21:36:45+02:00
Revert "Update status for CVE-2017-3737, thanks Q_"

This reverts commit 1ed0c93154024f687c6d2531190c129a4925763c.

1.0.2b introduced a hardening mechanism designed to protect against bugs
in application code. This CVE applies to the hardening mechanism being
incomplete. OpenSSL versions older than 1.0.2b don't have the hardening
mechanism at all.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -65376,15 +65376,13 @@ CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication ..
 CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error ...)
 	{DSA-4065-1}
 	- openssl 1.1.0b-2
-	[jessie] - openssl <postponed> (Can be fixed with next OpenSSL advisory round)
-	[wheezy] - openssl <postponed> (Can be fixed with next OpenSSL advisory round)
+	[jessie] - openssl <not-affected> (Issue introduced in 1.0.2b)
+	[wheezy] - openssl <not-affected> (Issue introduced in 1.0.2b)
 	- openssl1.0 1.0.2n-1
 	NOTE: Not fully correct tracking, the issue just does not affect OpenSSL 1.1.0
 	NOTE: thus mark as fixed in the first 1.1.0 version which entered unstable.
 	NOTE: https://www.openssl.org/news/secadv/20171207.txt
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc
-	NOTE: From the maintainer: Versions before 1.0.2b always had the problem, in 1.0.2b
-	NOTE: it was attempted to get this fixed but the fix was incomplete.
 CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery squaring ...)
 	{DSA-4017-1}
 	- openssl 1.1.0g-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5e25880444b07c4e30a31fef3954ac133ee024c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180328/861583f7/attachment.html>

More information about the Secure-testing-commits mailing list