Hi Utkarsh, You wrote for CVE-2019-1551: + [jessie] - openssl <not-affected> (Only affects OpenSSL > 1.1.0-pre1) However the advisory says: https://www.openssl.org/news/secadv/20191206.txt "OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue." So the status for 1.0.1 (jessie, wheezy) isn't clear. Can you add more elements to your triage?
Here's what lead to this commit:
- The upstream fix provides a patch which is in the crypto/bn/asm/rsaz-x86_64.pl file.
- Going back to the git history of this file, it leads to this commit, where the RSAZ assembly modules were first added.
- The above commit has been tagged as "OpenSSL_1_1_0-pre1".
- Still to double check, I went to the release tag of the version in Jessie (that is, 1.0.1t), which leads to here.
- Checking the files in this release, there's no RSAZ assembly modules added here, which indeed confirms that the version in Jessie is actually not affected, since the affected modules were added in the later release.
Hope that makes sense?
P.S. Sent the same to the security team as well.
Description: OpenPGP digital signature