[Git][security-tracker-team/security-tracker][master] change status of CVE-2018-0734 in Jessie

Thorsten Alteholz alteholz at debian.org
Mon Nov 19 15:05:43 GMT 2018 

Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6a2c032e by Thorsten Alteholz at 2018-11-19T14:56:23Z
change status of CVE-2018-0734 in Jessie

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -51673,13 +51673,18 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulner
 CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be vulnerable to ...)
 	- openssl <unfixed>
 	[stretch] - openssl <postponed> (Wait for next DSA and upstream release)
-	[jessie] - openssl <not-affected> (vulnerable code not present)
+	[jessie] - openssl <postponed> (vulnerable code not present, but see note below)
 	- openssl1.0 <unfixed>
 	[stretch] - openssl1.0 <postponed> (Wait for next DSA and upstream release)
 	NOTE: https://www.openssl.org/news/secadv/20181030.txt
 	NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=43e6a58d4991a451daf4891ff05a48735df871ac
+	NOTE: Actually the version in Jessie is not vulnerable. Nevertheless there is a bug fix which
+	NOTE: futher reduces the amount of leaked timing information. It got no CVE on its own and
+	NOTE: introduced this vulnerability. In order to not forget this issue and probably get more
+	NOTE: information about it later, it is marked as <postponed> instead of <not-affected>
+	NOTE: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=b96bebacfe814deb99fb64a3ed2296d95c573600
 CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp function is ...)
 	- openssl 1.1.0h-1 (unimportant)
 	[stretch] - openssl 1.1.0f-3+deb9u2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a2c032eb658a1667d469eb63b133bcba3748b2a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a2c032eb658a1667d469eb63b133bcba3748b2a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181119/8f2e74d8/attachment.html>

More information about the debian-security-tracker-commits mailing list