Skip to content
Commits on Source (2)
  • Salvatore Bonaccorso's avatar
    Mark CVE-2018-0735 as not-affected for openssl1.0 · 02e6e8b0
    Salvatore Bonaccorso authored 
    From IRC discussion:

	< bigeasy> for CVE-2018-0735 I would remove openssl1.0 because it was fixed as part of CVE-2018-5407. Any objections?
	< jmm_> bigeasy: sounds good
	< carnil> or actually track it as fixed with the same version?
	< bigeasy> DLA did that but upstream never release an advisory for 1.0.2. Only 1.1.0 and 1.1.1. And then they backported the whole function which already included CVE-2018-0735.
	< bigeasy> but if you want I can instead mark in the changelog for 1.0.2. it is up to you guys
	< Q_> bigeasy: As far as I know, those CVEs have nothing to do with each other?
	< bigeasy> well. CVE-2018-0735 does a +1 -> +2 in one place and this function gets copied as as part of CVE-2018-5407.
	< bigeasy> so there is that. however CVE-2018-0735 somehow ended in the securtiy-tracker for 1.0.2/openssl1.0 and I just asked for permission to remove it
	< Q_> Right, the vulnerable code was never present in 1.0.2.

As such add back the src:openssl1.0 source package back but make clear
why it is not affected as the vulnerable code never landed in a 1.0.2
release.

Partially reverts 12615d5f ("Remove CVE-2018-0735 from openssl1.0").
    02e6e8b0
  • Salvatore Bonaccorso's avatar
    Four CVEs fixed in openssl1.0 via unstable upload · 157bb201
    Salvatore Bonaccorso authored
    157bb201
Show whitespace changes
Inline Side-by-side
data/CVE/list
View file @ 157bb201
......@@ -37839,7 +37839,7 @@ CVE-2018-5408
CVE-2018-5407 (Simultaneous Multi-threading (SMT) in processors can enable local ...)
{DLA-1586-1}
- openssl 1.1.1~~pre9-1
- openssl1.0 <unfixed>
- openssl1.0 1.0.2q-1
NOTE: https://www.openssl.org/news/secadv/20181112.txt
NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b18162a7c9bbfb57112459a4d6631fa258fd8c0c
NOTE: https://www.openwall.com/lists/oss-security/2018/11/01/4
......@@ -51972,7 +51972,7 @@ CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...
- openssl 1.1.0h-3 (low; bug #895844)
[stretch] - openssl <postponed> (Can wait for next DSA and upstream release)
[wheezy] - openssl <postponed> (Can wait for next update)
- openssl1.0 <unfixed> (low; bug #895845)
- openssl1.0 1.0.2q-1 (low; bug #895845)
[stretch] - openssl1.0 <postponed> (Can wait for next DSA and upstream release)
NOTE: https://www.openssl.org/news/secadv/20180416.txt
NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
......@@ -51984,6 +51984,7 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulner
{DLA-1586-1}
- openssl 1.1.1a-1
[stretch] - openssl <postponed> (Wait for next DSA and upstream release)
- openssl1.0 <not-affected> (Vulnerable code never present in 1.0.2 series)
NOTE: https://www.openssl.org/news/secadv/20181029.txt
NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=56fb454d281a023b3f950d969693553d3f3ceea1
......@@ -51991,7 +51992,7 @@ CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be vulnerab
- openssl 1.1.1a-1
[stretch] - openssl <postponed> (Wait for next DSA and upstream release)
[jessie] - openssl <postponed> (vulnerable code not present, but see note below)
- openssl1.0 <unfixed>
- openssl1.0 1.0.2q-1
[stretch] - openssl1.0 <postponed> (Wait for next DSA and upstream release)
NOTE: https://www.openssl.org/news/secadv/20181030.txt
NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f
......@@ -52014,7 +52015,7 @@ CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ...)
{DLA-1449-1}
- openssl 1.1.1-1 (low)
[stretch] - openssl <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
- openssl1.0 <unfixed> (low)
- openssl1.0 1.0.2q-1 (low)
[stretch] - openssl1.0 <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ea7abeeabf92b7aca160bdd0208636d4da69f4f4
NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=3984ef0b72831da8b3ece4745cac4f8575b19098