[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2018-0735 as not-affected for openssl1.0

Salvatore Bonaccorso carnil at debian.org
Fri Nov 23 04:59:21 GMT 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
02e6e8b0 by Salvatore Bonaccorso at 2018-11-23T04:57:14Z
Mark CVE-2018-0735 as not-affected for openssl1.0

>From IRC discussion:

	< bigeasy> for CVE-2018-0735 I would remove openssl1.0 because it was fixed as part of CVE-2018-5407. Any objections?
	< jmm_> bigeasy: sounds good
	< carnil> or actually track it as fixed with the same version?
	< bigeasy> DLA did that but upstream never release an advisory for 1.0.2. Only 1.1.0 and 1.1.1. And then they backported the whole function which already included CVE-2018-0735.
	< bigeasy> but if you want I can instead mark in the changelog for 1.0.2. it is up to you guys
	< Q_> bigeasy: As far as I know, those CVEs have nothing to do with each other?
	< bigeasy> well. CVE-2018-0735 does a +1 -> +2 in one place and this function gets copied as as part of CVE-2018-5407.
	< bigeasy> so there is that. however CVE-2018-0735 somehow ended in the securtiy-tracker for 1.0.2/openssl1.0 and I just asked for permission to remove it
	< Q_> Right, the vulnerable code was never present in 1.0.2.

As such add back the src:openssl1.0 source package back but make clear
why it is not affected as the vulnerable code never landed in a 1.0.2
release.

Partially reverts 12615d5f9f41 ("Remove CVE-2018-0735 from openssl1.0").

- - - - -
157bb201 by Salvatore Bonaccorso at 2018-11-23T04:58:06Z
Four CVEs fixed in openssl1.0 via unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -37839,7 +37839,7 @@ CVE-2018-5408
 CVE-2018-5407 (Simultaneous Multi-threading (SMT) in processors can enable local ...)
 	{DLA-1586-1}
 	- openssl 1.1.1~~pre9-1
-	- openssl1.0 <unfixed>
+	- openssl1.0 1.0.2q-1
 	NOTE: https://www.openssl.org/news/secadv/20181112.txt
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b18162a7c9bbfb57112459a4d6631fa258fd8c0c
 	NOTE: https://www.openwall.com/lists/oss-security/2018/11/01/4
@@ -51972,7 +51972,7 @@ CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...
 	- openssl 1.1.0h-3 (low; bug #895844)
 	[stretch] - openssl <postponed> (Can wait for next DSA and upstream release)
 	[wheezy] - openssl <postponed> (Can wait for next update)
-	- openssl1.0 <unfixed> (low; bug #895845)
+	- openssl1.0 1.0.2q-1 (low; bug #895845)
 	[stretch] - openssl1.0 <postponed> (Can wait for next DSA and upstream release)
 	NOTE: https://www.openssl.org/news/secadv/20180416.txt
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
@@ -51984,6 +51984,7 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulner
 	{DLA-1586-1}
 	- openssl 1.1.1a-1
 	[stretch] - openssl <postponed> (Wait for next DSA and upstream release)
+	- openssl1.0 <not-affected> (Vulnerable code never present in 1.0.2 series)
 	NOTE: https://www.openssl.org/news/secadv/20181029.txt
 	NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=56fb454d281a023b3f950d969693553d3f3ceea1
@@ -51991,7 +51992,7 @@ CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be vulnerab
 	- openssl 1.1.1a-1
 	[stretch] - openssl <postponed> (Wait for next DSA and upstream release)
 	[jessie] - openssl <postponed> (vulnerable code not present, but see note below)
-	- openssl1.0 <unfixed>
+	- openssl1.0 1.0.2q-1
 	[stretch] - openssl1.0 <postponed> (Wait for next DSA and upstream release)
 	NOTE: https://www.openssl.org/news/secadv/20181030.txt
 	NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
@@ -52014,7 +52015,7 @@ CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ...)
 	{DLA-1449-1}
 	- openssl 1.1.1-1 (low)
 	[stretch] - openssl <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
-	- openssl1.0 <unfixed> (low)
+	- openssl1.0 1.0.2q-1 (low)
 	[stretch] - openssl1.0 <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ea7abeeabf92b7aca160bdd0208636d4da69f4f4
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=3984ef0b72831da8b3ece4745cac4f8575b19098



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/78575bd3ae229c18de627e33aeaddd26c0a6af3e...157bb2011c4dcfc5c630a4f1353b0f8672d80d65

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/78575bd3ae229c18de627e33aeaddd26c0a6af3e...157bb2011c4dcfc5c630a4f1353b0f8672d80d65
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181123/368f7efc/attachment.html>

More information about the debian-security-tracker-commits mailing list