Hi Sylvain,
Hi Utkarsh, You wrote for CVE-2019-1551: + [jessie] - openssl <not-affected> (Only affects OpenSSL > 1.1.0-pre1) However the advisory says: https://www.openssl.org/news/secadv/20191206.txt "OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue." So the status for 1.0.1 (jessie, wheezy) isn't clear. Can you add more elements to your triage?
Sure thing.
Here's what lead to this commit:
- The upstream fix[1] provides a patch which is in the
crypto/bn/asm/rsaz-x86_64.pl file.
- Going back to the git history of this file, it leads to this
commit[2], where the RSAZ assembly modules were first added.
- The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1".
- Still to double check, I went to the release tag of the version
in Jessie (that is, 1.0.1t), which leads to here[3].
- Checking the files in this release, there's no RSAZ assembly
modules added here, which indeed confirms that the version in
Jessie is actually not affected, since the affected modules were
added in the later release.
Hope that makes sense?
P.S. Sent the same to the security team as well.
Best,
Utkarsh
---
[1]:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
[2]:
https://github.com/openssl/openssl/commit/0b4bb91db65697ab6d3a0fc05b140887cbce3080#diff-e55cf156f8579e17800742c38b325e07
[3]:
https://github.com/openssl/openssl/releases/tag/OpenSSL_1_0_1t
Attachment:
signature.asc
Description: OpenPGP digital signature