Back to openssl PTS page

Accepted openssl 1.0.1t-1+deb8u12 (source all amd64) into oldoldstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 25 Sep 2019 19:47:32 +0200
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1t-1+deb8u12
Distribution: jessie-security
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
 libssl-dev - Secure Sockets Layer toolkit - development files
 libssl-doc - Secure Sockets Layer toolkit - development documentation
 libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
 libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
 openssl    - Secure Sockets Layer toolkit - cryptographic utility
Changes:
 openssl (1.0.1t-1+deb8u12) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2019-1547:
     Normally in OpenSSL EC groups always have a co-factor present and this is
     used in side channel resistant code paths. However, in some cases, it is
     possible to construct a group using explicit parameters (instead of using a
     named curve). In those cases it is possible that such a group does not have
     the cofactor present. This can occur even where all the parameters match a
     known named curve. If such a curve is used then OpenSSL falls back to
     non-side channel resistant code paths which may result in full key recovery
     during an ECDSA signature operation. In order to be vulnerable an attacker
     would have to have the ability to time the creation of a large number of
     signatures where explicit parameters with no co-factor present are in use
     by an application using libcrypto. For the avoidance of doubt libssl is not
     vulnerable because explicit parameters are never used.
   * Fix CVE-2019-1563:
     In situations where an attacker receives automated notification of the
     success or failure of a decryption attempt an attacker, after sending a
     very large number of messages to be decrypted, can recover a CMS/PKCS7
     transported encryption key or decrypt any RSA encrypted message that was
     encrypted with the public RSA key, using a Bleichenbacher padding oracle
     attack. Applications are not affected if they use a certificate together
     with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to
     select the correct recipient info to decrypt.
Checksums-Sha1:
 1da94996d5e7890437ac0e677da151881ae4b7a5 2427 openssl_1.0.1t-1+deb8u12.dsc
 ad441c88f8a0941d23678140c229539868c7fb56 118796 openssl_1.0.1t-1+deb8u12.debian.tar.xz
 778d96f40374ccef806eeb542237d07ba062eca7 1169498 libssl-doc_1.0.1t-1+deb8u12_all.deb
 716061433b38fdca4fa1bb035ff5a30bdb16690c 665592 openssl_1.0.1t-1+deb8u12_amd64.deb
 9a639061960b6a59da98f61d63ae4cd7812ce76a 1048576 libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
 1abe157091a33ef3f471883104a24102384a190a 645666 libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb
 d6c48cabd4a247cce3997d933d4e446df5fb2c21 1283706 libssl-dev_1.0.1t-1+deb8u12_amd64.deb
 66faec612f7c0546da3e4f89f2741921e1c4ed2d 2821754 libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb
Checksums-Sha256:
 224da86e423639a661759e10d07e344a4d969f3b9125518701b718f158da2228 2427 openssl_1.0.1t-1+deb8u12.dsc
 28bcb0510fe598a7ba4b2d6e6241f8e7d9d22d142a4cd1cd8e9d23a73a6ad0b8 118796 openssl_1.0.1t-1+deb8u12.debian.tar.xz
 d7b3cd99bbf59aaeea83eace17986394f7224d4df9c78c717ce83c2de131ac3a 1169498 libssl-doc_1.0.1t-1+deb8u12_all.deb
 e8cee7b0ab8898812499bbb24d2a6b5755d8b5982595beb6c2d87583f51a2c97 665592 openssl_1.0.1t-1+deb8u12_amd64.deb
 c91f6f016d0b02392cbd2ca4b04ff7404fbe54a7f4ca514dc1c499e3f5da23a2 1048576 libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
 b178a27413a682af53be9f2e8ab5b07a34c7d8f6ad586f97d5635e0dd4a3da58 645666 libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb
 0b1425af6f6c33b3e68aaa870882e540bc343e07ea4d74167e61858467be4ff6 1283706 libssl-dev_1.0.1t-1+deb8u12_amd64.deb
 5745f5bcf943e69734545106ad057b9d09e8eac92c1535fd40568617e95dda40 2821754 libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb
Files:
 380abb085b0c078f1a2ae085f6e5fa8a 2427 utils optional openssl_1.0.1t-1+deb8u12.dsc
 d774aa6f3555337a0c4a022d2aea029a 118796 utils optional openssl_1.0.1t-1+deb8u12.debian.tar.xz
 3e61773472c08d339b0dc229cab15462 1169498 doc optional libssl-doc_1.0.1t-1+deb8u12_all.deb
 8b7208445c97d3304ed3bade428201bb 665592 utils optional openssl_1.0.1t-1+deb8u12_amd64.deb
 02124c56a3fa64ab3f9a225f450dc0ac 1048576 libs important libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
 1c991d117028567a0edbaf0cc7fd5b90 645666 debian-installer optional libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb
 9b8c19ac61fb8f698fdd97e8d29ac654 1283706 libdevel optional libssl-dev_1.0.1t-1+deb8u12_amd64.deb
 17d208050c5d4470a3902e9b93941443 2821754 debug extra libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2LzdJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk0pkQAJ3dvvxZ5diIAUBlEfIF28qAZhA8HYxVJd9B
RhUTS0ebeoHaBMj4DWgtgIdpDZY6cVOL1OD9a8biLrFvmynO8d2g9t2iswSgRR4w
Qz/7uzPXfFbbG1UTYrySpzcVf6u+jr/AzawPxJz5t7fTxVlPy0gUgd5L0AfIwiAF
c/TVF9oUoVrK/SlI3QDsjP3uTUf/xyps1IHHjWVKCy8QpguQ/VoWmYgzHCO6cH6c
d8wv6In2PYhy9CQVCpBX7B0XEn7aEzHf8GcFxuYzje8HxIf5wnn6X8vjSHSwvIQT
jWHGTLJ6rVecIUHtntpZEcmLyjerO/amWPivgvAS8ISBWDNCkE83gSe42sGn5wgr
PAaINVkrzU04qhVwskuEV/JKEGp1D5IKNCmyNqLy+nVEg52ixwjUEI7nliIoXe/K
KTrsy11npVicPiGsz7CKVstfZ98pkpbaCnzQ8+WC9u7hTlKc+UYdgqX0vr85k9fm
IcC56elYIPy/m6tS8Y5jCx7rpskFjP2xNEcM8rrM222T2YAFbvGDGhItVnK9oH7p
IHb5OXGdCR/Y6+lv5XUC+/ZmXicLzj4K4M/PDmMthv0vvw+XrNBLOGnYNbxRYogN
Jctp0Nbg/5FHRkA/uX2XIql8cHWdXgR3r0F+dsUawYizc1cnilpyh/czlSYzTJxf
ms0y90hx
=e08v
-----END PGP SIGNATURE-----