On 09/12/19 3:00 pm, Utkarsh Gupta wrote: > Hi, > > On 09/12/19 2:48 pm, Sylvain Beucler wrote: >> Hi, >> >> On 09/12/2019 10:13, Utkarsh Gupta wrote: >>> Here's what lead to this commit: >>> >>> - The upstream fix[1] provides a patch which is in the >>> crypto/bn/asm/rsaz-x86_64.pl file. >>> - Going back to the git history of this file, it leads to this >>> commit[2], where the RSAZ assembly modules were first added. >>> - The above commit[2] has been tagged as "OpenSSL_1_1_0-pre1". >>> >> But the commit was cherry-picked to 1.0.2, and possibly other versions: >> https://github.com/openssl/openssl/commit/d5572bdc6432b900b669a0333fc2024b0cb0bc20 >>> - Still to double check, I went to the release tag of the version in >>> Jessie (that is, 1.0.1t), which leads to here[3]. >>> - Checking the files in this release, there's no RSAZ assembly modules >>> added here, which indeed confirms that the version in Jessie is >>> actually not affected, since the affected modules were added in the >>> later release. >>> >> So the reason is that the code is not present in 1.0.1t, not that it's >> never present in < 1.1.0-pre1. > Ah, I should've been clearer. They have an unusual way of releasing that > rather confused me. Most of the 1.0.2(x) releases were after 1.1.0-pre1. Anyway, here's more clear summary (also on the tracker now): Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t). > Thanks, indeed. I'll fix the note. Fixed! Best, Utkarsh
Attachment:
signature.asc
Description: OpenPGP digital signature