[Pkg-openssl-devel] Bug#1101730: openssl: ppc64el: upstream fixed Minerva timing side-channel signal for ECC p384

Hector Oron Martinez zumbi at debian.org
Mon Mar 31 10:02:20 BST 2025


Package: openssl
Version: 3.4.1-1
Severity: important
Tags: security
X-Debbugs-Cc: debian-powerpc at lists.debian.org, zumbi at debian.org, Debian Security Team <team at security.debian.org>
User: debian-powerpc at lists.debian.org
Usertags: ppc64el

Hello,

The OpenSSL maintainers discovered a timing side channel vulnerability in OpenSSL's P-384 implementation when used with ECDSA.  The PPC issue is discussed publicly here: https://github.com/openssl/openssl/issues/24253 and the generic issue is discussed here: https://github.com/openssl/openssl/issues/23860

PR link with fix - https://github.com/openssl/openssl/pull/26709

The last comment says - Merged to the master, 3.5, 3.4, 3.3 and 3.2 branches.

Regards


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.17-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=ca_ES:ca
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssl depends on:
ii  libc6       2.41-6
ii  libssl3t64  3.4.1-1

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20241223

-- no debconf information



More information about the Pkg-openssl-devel mailing list