Accepted openssl 1.0.1t-1+deb8u11 (source all amd64) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Mar 2019 16:25:39 +0100
Source: openssl
Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg
Architecture: source all amd64
Version: 1.0.1t-1+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb)
libssl-dev - Secure Sockets Layer toolkit - development files
libssl-doc - Secure Sockets Layer toolkit - development documentation
libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries
libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information
openssl - Secure Sockets Layer toolkit - cryptographic utility
Changes:
openssl (1.0.1t-1+deb8u11) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-1559:
Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding
oracle attack in OpenSSL.
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently
based on that in a way that is detectable to the remote peer, then this
amounts to a padding oracle that could be used to decrypt data.
.
In order for this to be exploitable "non-stitched" ciphersuites must be in
use. Stitched ciphersuites are optimised implementations of certain
commonly used ciphersuites. Also the application must call SSL_shutdown()
twice even if a protocol error has occurred (applications should not do
this but some do anyway). AEAD ciphersuites are not impacted.
Checksums-Sha1:
59d63557a4494f2db518991bb738fc2740ae6fbf 2427 openssl_1.0.1t-1+deb8u11.dsc
82bbf327e569a70c93c0e85e24cb1ad035905e83 116008 openssl_1.0.1t-1+deb8u11.debian.tar.xz
949e0d12c79dbac67d8b5372b880916213057fa3 1168000 libssl-doc_1.0.1t-1+deb8u11_all.deb
427ae9aecffd26b0b07092278413d89e1234b9e5 664632 openssl_1.0.1t-1+deb8u11_amd64.deb
97c268ee6d8b3abf24cbe01da4d80074d1887510 1046796 libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb
c4e389464eedf035e9807b5f02141975b6f1c365 643474 libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb
c4d6ec45ec2dd649c2648cfd73aa08dd053833c4 1284940 libssl-dev_1.0.1t-1+deb8u11_amd64.deb
504b2d0ba2f9d81d64a432e815b4a96df682e491 2819836 libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb
Checksums-Sha256:
1b2ea8314ab20895989a9ca0c1f6a3244baf6e889f9e9563245083ab8525e710 2427 openssl_1.0.1t-1+deb8u11.dsc
deaab80273c0a2928a3184576856cbaa37993130a1a938a22dca6d341ffc3deb 116008 openssl_1.0.1t-1+deb8u11.debian.tar.xz
ee1d4cdfc57678ed2ba484b2975e28695fdd20c0a0144b2c1f4702978601c79d 1168000 libssl-doc_1.0.1t-1+deb8u11_all.deb
c5424c87b93594ce2fdf19ae60eb955a3ed1b2f5518e98706460315e8e38a1c8 664632 openssl_1.0.1t-1+deb8u11_amd64.deb
793926fb2d9bd152cdf72551d9a36c83090e0f574dbe0063de1528465bf46479 1046796 libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb
e049b747a8f73584f61b0a971f970b87cdf79ecd9aad8c6869a6283fe3d9bd08 643474 libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb
5c16fd8e8d300ade9456df6ed0e2dda33a0665550bc29dc7da4f22fc12686ea2 1284940 libssl-dev_1.0.1t-1+deb8u11_amd64.deb
d666e920683fcd868fd45fcb595b0ce31afa5fd0fa398a2c71ce226aa7ac984c 2819836 libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb
Files:
e04299c1bd9b6c4db50bce0fbfc2af23 2427 utils optional openssl_1.0.1t-1+deb8u11.dsc
1f1c0a5cb858701b9da3983469b10eff 116008 utils optional openssl_1.0.1t-1+deb8u11.debian.tar.xz
db028d465a4961addb74f220b8a03d6e 1168000 doc optional libssl-doc_1.0.1t-1+deb8u11_all.deb
a865663fe2049f75c50117b33c6210e3 664632 utils optional openssl_1.0.1t-1+deb8u11_amd64.deb
988393d399c0c8776e0e05a505e68fe0 1046796 libs important libssl1.0.0_1.0.1t-1+deb8u11_amd64.deb
4a93fdc96133b55b1bf4b73bebdf355e 643474 debian-installer optional libcrypto1.0.0-udeb_1.0.1t-1+deb8u11_amd64.udeb
83442579b3ec3e01116b8b8b574d1487 1284940 libdevel optional libssl-dev_1.0.1t-1+deb8u11_amd64.deb
6dc81e92c0a1ef8e8693f6bd5407b7dd 2819836 debug extra libssl1.0.0-dbg_1.0.1t-1+deb8u11_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlx5m2NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkVU8QAMZ/AeA8wo89PQ8wL30Exrl8miDfwX9PPUOI
Rqz3+5atE24Z74ktecnv+C9PDDj67hDRsyYCM7BTDtRzfnzNdjMJQVh3PNclbx8J
GnV0FpCgE2wDhiBZQogBf4/Z8tA4QBB3WQvyg7Qox0rGLdwqU0UgJPuK+IiPNrzc
WXgNvnpcnL68o72fZPv0Re1EhWORCfP9GWPvqGZA/lm4Ux9/otgj3oYfzKH8Pip9
5yIlqr5Ww5n4bzA5cBrhWdyaRy/WN6yOKGmvj8S1ZabeUWF6+ld9OUOMLmyxurlw
8Nx6rVRZ1LunDI0lNgaD1rmHbxmqAX+iLNP0d86jNzUPNKWQYgfYNXcJaz+CVVx+
1NjGeOAQgNvNaiTEdIGJIWjxKpvTv3Y8hfCvBBFbsuvp/wvFVnxH54Ng+iUl1bju
M6Oo0udRk1qcfYywVxX1/iYB3yAfEs7nWBTfgYbKzopwQCtDPqQUtMLGStEDnWiZ
XBIrfWI9y1c828UxnbXznuKxz99zr6X3XZnzVqnrlCE8sDcBkcctTIfvlCo/Fdkw
awWA54qOnJsT9CUjoFqBRR9daUM6O1tJ8G9QfHqHDKG2WkRH5nG2Va+dpRVadBO6
x98CRRaceR8QgY55WZo5svMNJZUI0K2k53Q2JocrgsmMI/hijD6yOnSxF4gE2XX2
uBtvwt+8
=/GmW
-----END PGP SIGNATURE-----
Reply to: