Bug#1107322: unblock: libcrypt-openssl-rsa-perl/0.35-1
gregor herrmann
gregoa at debian.org
Thu Jun 5 15:52:05 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libcrypt-openssl-rsa-perl at packages.debian.org, carnil at debian.org
Control: affects -1 + src:libcrypt-openssl-rsa-perl
User: release.debian.org at packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Please unblock package libcrypt-openssl-rsa-perl.
libcrypt-openssl-rsa-perl is a key package, otherwise it would
already have migrated.
0.35-1 fixes a security issue which was considered "minor" by the
security team for bookworm/bullseye/buster but both them and we would
like to see the fix in trixie nevertheless:
https://bugs.debian.org/1066969
"CVE-2024-2467: vulnerable to the Marvin Attack"
https://security-tracker.debian.org/tracker/CVE-2024-2467
"A timing-based side-channel flaw exists in the
perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover
plaintext across a network in a Bleichenbacher-style attack. To
achieve successful decryption, an attacker would have to be able to
send a large number of trial messages. The vulnerability affects the
legacy PKCS#1v1.5 RSA encryption padding mode."
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/pull/58
"Disable PKCS#1 v1.5 padding"
The package passes all tests and checks and the excuses page is
happy. It also has been in unstable for 4 weeks without any reported
issues. Neither have any new issues been reported upstream:
https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues
The complete debdiff looks a bit long, as there are unfortunately all
kinds of documentation changes, upstream build and test tweaks, or
changes for other operating systems involved. (Attached as
libcrypt-openssl-rsa-perl_0.35-1.diff.gz.)
I went through all commits, and there are actually just two bug fixes
which seem relevant and both are 2-line code changes: Attached as
0001-*.patch
Cheers,
gregor
unblock libcrypt-openssl-rsa-perl/0.35-1
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmhBrxVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZ/2RAApYQZE/vR+13Q46Busbcc+o2/Rmgw15GIUuKSzo4OyoX+1sqbpZTiJ3Ov
p4bF7O2uKYR12YQXZgegJa5ZrbfbK/T/vB8WnZe0dpZTf+C2UXSgXhW7r1o5blfQ
/0TI4OnEbLD1tio5wwSe0JaeS8Tut3hxRa0D+8M4NQx+p4aO49djrntj2rvYCCN7
vN6y15euRYvY/YwUsNR0BQATn3CNiCTBkcXvUnTts+uYibm8BwOehs2R/AY5ueZ8
7uya7VB/pvkgqPA056dPjO1Zk0wWCW/RnHUe1XiiMO59S/L1Ny7UFc5Cne3PttEQ
59iFMpi/FoyNwuWG78hpcyigw5OhKb+cnYtyRYQv5Am82lwKtvKH5LLw09yc7qyv
gEnX0GTVfL/FwgfETam/BJ0M+Ip9455NZXpFz9I8RvAwvijttJWNGrovlJ5TLrxR
zWzrwvf1XzI8uGPsMGVUTbsbMPmVQY714GBCuapvlxyYKG695HJmtuxfNlkRALrf
A3AsJx8OpKFGZUGbDlo/FvkQdNKApVHWzL8jxYR/w03p8O1xqh3RpJegCEifnM6y
Tc6tliqeFH3eQQMrqplihupXSN70+taod3xW+aHHfL3u43eH3CNRz0xXvZpk+qpH
PNU2PmkuclPEGEm9dUb2zSB2uNfVQ+NcjwTgWXEK5mx/XsU2U7c=
=JKy/
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libcrypt-openssl-rsa-perl_0.35-1.diff.gz
Type: application/gzip
Size: 13699 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250605/c471c423/attachment-0001.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Pass-NULL-to-EVP_PKEY_CTX_new_from_pkey-not-a-random.patch
Type: application/mbox
Size: 838 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250605/c471c423/attachment-0002.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Disable-PKCS-1-v1.5-padding.patch
Type: application/mbox
Size: 2750 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250605/c471c423/attachment-0003.mbox>
More information about the pkg-perl-maintainers
mailing list